disable dnssec in bind resolver
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Fri Jun 4 18:19:46 UTC 2010
At Fri, 4 Jun 2010 16:50:26 +0200,
Jan Buchholz <96devil at googlemail.com> wrote:
> >> how i can disable dnssec in the bind resolver ? My firewall don´t let
> >> packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
> >> this don´t fix the problem.
> >
> > I believe that only disables *serving* DNSSEC records.
> >
> > I think you want 'dnssec-validation no;'
> sorry, 'dnssec-validation no;' is already configured, because that´s
> the default.
The DO bit is always set whenever the server includes an EDNS OPT RR
(I thought it was based on the specification, but don't remember which
sentence of which RFC says so).
So, your only choice is to completely disable EDNS:
server ::/0 {
edns no;
};
server 0.0.0.0/0 {
edns no;
};
As others said, however, I'd rather say "the fix is to upgrade/replace
the broken firewall". Please consider it only for a short term
workaround and seriously consider fixing the real problem.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list