Disabling DNSSEC until...

Robert Moskowitz rgm at htt-consult.com
Sun Mar 3 13:10:43 UTC 2013

I solve the EDNS problem, probably on my Juniper SSG5.  This will 
initially have to wait until Juniper gets back to me, or I corner some 
of their developers at IETF in a couple weeks.  Alternatively I replace 
the SSG5...

And I change my registry to one that supports DNSSEC.

Commenting all the lines about DNSSEC does not seem to totally stop it, 
as I see the following message after restarting named:

Mar  3 07:48:45 onlo named[7049]: managed-keys-zone ./IN/external: 
loaded serial 352

And eventhough rigel and klovia were restarted with all the DNSSEC lines 
commented out, I am still getting the 'no valid RRSIG' messages for 
htt.  I suspect I am dealing with defaults here and will have to 
explicitly state:

     dnssec-enable no;
     dnssec-validation no;

Anything else I need to do to really turn dnssec off for now?

More information about the bind-users mailing list