disable dnssec in bind resolver

Mark Andrews marka at isc.org
Tue Jun 8 15:02:42 UTC 2010


In message <D7C8ADA3-F213-4AE9-9FBE-8D613D97D69F at kumari.net>, Warren Kumari wri
tes:
> On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
> 
> > Thanks @all, sorry i was out of office yesterday. I'll discuss the
> > issue this week on the german Linux Tag in Berlin.
> >
> > What your meaning off firewalls, who looks into packets and block them
> > if the filter don=B4t know a flag.
> 
> Some "high security" firewalls examine the actual payload of the 
> packets and validate that the payload follows the spec (at least as 
> they understand the spec). This sounds like a great win, because it 
> allows you to make sure that folks aren't tunneling things over other 
> ports, "protects" your backend from application level attacks (and 
> attacks on the TCP stack and such) and allows NAT fixups for things 
> like SIP -- this is often called an ALG (Application layer gateway), 
> fixups or something similar. Unfortunately they almost always cause 
> way way more issues than they solve, and cause really really 
> interesting troubleshooting problems[0]. The firewall has to maintain 
> a huge amount of state, the ALG is coded for a protocol at a specific 
> point in time and so doesn't deal with extensions (like edns 
> apparently :-P), etc.

You wonder about firewall vendors and whether they are doing their jobs
when they don't support parts of the protocol that are a decade old and
are standards track.

	EDNS 1999, DO 2001
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list