Disabling DNSSEC until...

Robert Moskowitz rgm at htt-consult.com
Sun Mar 3 13:18:02 UTC 2013

On 03/03/2013 08:10 AM, Robert Moskowitz wrote:
> I solve the EDNS problem, probably on my Juniper SSG5.  This will 
> initially have to wait until Juniper gets back to me, or I corner some 
> of their developers at IETF in a couple weeks.  Alternatively I 
> replace the SSG5...
> And I change my registry to one that supports DNSSEC.
> Commenting all the lines about DNSSEC does not seem to totally stop 
> it, as I see the following message after restarting named:
> Mar  3 07:48:45 onlo named[7049]: managed-keys-zone ./IN/external: 
> loaded serial 352
> And eventhough rigel and klovia were restarted with all the DNSSEC 
> lines commented out, I am still getting the 'no valid RRSIG' messages 
> for htt.  I suspect I am dealing with defaults here and will have to 
> explicitly state:
>     dnssec-enable no;
>     dnssec-validation no;

Still getting the loading of managed-keys-zone, but now I get resolution 
for htt. on the caching server.  I see much testing ahead of me, as 
there is no firewall between rigel and klovia.  This at least will allow 
me to launch klovia as my new mail server as I work out the DNSSEC 
related items.

> Anything else I need to do to really turn dnssec off for now?

Still wonder what will stop the manage-keys-zone loading.

More information about the bind-users mailing list