BIND 9.9.0 is now available
owens at nysernet.org
Fri Mar 2 13:43:10 UTC 2012
On Fri, Mar 02, 2012 at 11:13:06AM +0100, Matus UHLAR - fantomas wrote:
> On 29.02.12 17:53, Michael McNally wrote:
> > NXDOMAIN redirection is now possible. This enables a resolver
> > to respond to a client with locally-configured information
> > when a query would otherwise have gotten an answer of "no
> > such domain". This allows a recursive nameserver to provide
> > alternate suggestions for misspelled domain names. Note that
> > names that are in DNSSEC-signed domains are exempted from
> > this when validation is in use. [RT #23146]
> just by signing? so I can spare all our domains from being misused by
> such shit just by signing them?
That's one half of it; the queries also need to request DNSSEC (EDNS DO=1). One or the other, by itself, isn't enough. This applies to both NXDOMAIN rewriting and RPZ, as of 9.9.0 (the RPZ behavior changed during the 9.9.0 development process).
More information about the bind-users