Disabling DNSSEC validation per zone?
Daniel McDonald
dan.mcdonald at austinenergy.com
Fri Jul 8 16:14:09 UTC 2011
On 7/8/11 10:41 AM, "Phil Mayers" <p.mayers at imperial.ac.uk> wrote:
> On 08/07/11 15:13, Daniel McDonald wrote:
>> I have a number of zones being served by rbldnsd, with bind as a
>> front-end. The zones are defined as forward only in named.conf.
>>
>> When I enable dnssec validatation, these zones report that they are
>> insecure.
>> 08-Jul-2011 08:55:58.700 dnssec: info: validating @0xb4260ad8:
>> ips.backscatterer.local SOA: got insecure response; parent indicates it
>> should be secure
>>
>> I¹m not really certain which parent is reporting this
>
> Well, backscatterer.local presumably.
>
> What does:
>
> dig @localhost ips.backscatterer.local ds
>
> ...say?
NXDOMAIN
[~]$ dig @localhost ips.backscatterer.local ds
; <<>> DiG 9.8.0-P4 <<>> @localhost ips.backscatterer.local ds
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26308
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ips.backscatterer.local. IN DS
;; AUTHORITY SECTION:
. 7957 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2011070800 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 8 11:05:23 2011
;; MSG SIZE rcvd: 116
>
>>
>> Is there a way to disable dnssec validation on these zones, while still
>> requiring it elsewhere?
>
> I believe not.
I guess that means I need to set aside a separate zone registered for my
rbls (I have a fair number of them) and not sign it.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list