disable dnssec in bind resolver
Alan Clegg
aclegg at isc.org
Fri Jun 4 18:16:05 UTC 2010
On 6/4/2010 1:52 PM, R. Kevin Oberman wrote:
> First, dns-validation is 'off' by default in all BIND versions. It's
> dnssec-enable that started defaulting to 'yes'.
No, it isn't. The only reason that dnssec-validation appears "off" is
that without trust anchors, it doesn't do anything. Insert a trust
anchor and you validate, even without "dnssec-validation yes;" in your
configuration.
Really.
> Second, your firewall is simply broken. You will continue to have
> problems with DNS until you fix/replace it. I have not seen a recent
> firewall broken in this manner for a while, but this was quite common
> a couple of years ago.
100% agreed.
> For the moment, turning off dnssec-enable is probably your best hope,
> but it's not a fix and you are likeky to see continuing problems on a
> smaller scale until the firewall is fixed.
Yep.
AlanC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100604/e3e3ebc2/attachment.bin>
More information about the bind-users
mailing list