disable dnssec in bind resolver
Doug Barton
dougb at dougbarton.us
Fri Jun 4 22:56:59 UTC 2010
On 06/04/10 11:19, JINMEI Tatuya / 神明達哉 wrote:
> The DO bit is always set whenever the server includes an EDNS OPT RR
> (I thought it was based on the specification, but don't remember which
> sentence of which RFC says so).
Given that concern about whether or not it's a good idea to always send
DO=1 has come up in other contexts I for one would like to see chapter
and verse for why doing so is a MUST/SHOULD. If it turns out that DO=1
is not required I'd like to see a BIND option to turn it off.
Regarding the OP's situation, there are at least 2 problems. The first
being putting a firewall in front of a name server to start with, and
the second being that the firewall is broken. However I can think of
other reasons to want DO=0, especially in the age where having DNSSEC
records is going to be increasingly more common.
I have a guess at why ISC would want to enable it by default, and even
in the presence of an option to turn it off I'm still Ok with that
default. But if it's not a standards requirement to have it on, giving
the admin a choice would be a welcome thing.
FWIW,
Doug
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
More information about the bind-users
mailing list