proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?

Mark Andrews marka at isc.org
Tue May 10 04:48:40 UTC 2011


In message <1304999903.6599.1450152113 at webmail.messagingengine.com>, "" writes:
> Among numerous examples of folks running Bind9 in split-view mode
> similar to my config, I found this unanswered DNSSEC-related post,
> 
>  "DNSSEC Validating Resolver and Views"
>   https://lists.isc.org/pipermail/bind-users/2010-March/079166.html
> 
> which seems, at least, similar to the issue I'm seeing,
> 
> " ... This setup has been working for years but is now broken for
> clients
>  querying from a guest network (via the guest view) unless the queries
>  have checking disabled. ..."
> 
> Checking with my server for apparently unsigned 'www.adobe.com',
> 
> dig www.adobe.com
> 
> 	; <<>> DiG 9.8.0-P1 <<>> www.adobe.com
> 	;; global options: +cmd
> 	;; Got answer:
> 	;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12026
> 	;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> 	ADDITIONAL: 0
> 
> 	;; QUESTION SECTION:
> 	;www.adobe.com.                 IN      A
> 
> 	;; Query time: 24 msec
> 	;; SERVER: 10.10.10.100#53(10.10.10.100)
> 	;; WHEN: Mon May  9 13:53:29 2011
> 	;; MSG SIZE  rcvd: 31
> 
> dig www.adobe.com +cd
> 
> 	; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +cd
> 	;; global options: +cmd
> 	;; Got answer:
> 	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50312
> 	;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 2,
> 	ADDITIONAL: 0
> 
> 	;; QUESTION SECTION:
> 	;www.adobe.com.                 IN      A
> 
> 	;; ANSWER SECTION:
> 	www.adobe.com.          3592    IN      CNAME  
> 	www.wip4.adobe.com.
> 	www.wip4.adobe.com.     30      IN      A       192.150.16.60
> 
> 	;; AUTHORITY SECTION:
> 	wip4.adobe.com.         3337    IN      NS     
> 	da1gtm001.adobe.com.
> 	wip4.adobe.com.         3337    IN      NS     
> 	3dns-5.adobe.com.
> 
> 	;; Query time: 52 msec
> 	;; SERVER: 10.10.10.100#53(10.10.10.100)
> 	;; WHEN: Mon May  9 13:53:37 2011
> 	;; MSG SIZE  rcvd: 115
> 
> shows, as in the referenced post, that checking an dnssec-unsigned
> domain @ resolver with dnssec-validation enabled returns DATA only if
> that validation is DISABLED.

What does "dig DS adobe.com" return?
 
> DCh
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list