Disabling DNSSEC until...
Robert Moskowitz
rgm at htt-consult.com
Sun Mar 3 13:18:02 UTC 2013
On 03/03/2013 08:10 AM, Robert Moskowitz wrote:
> I solve the EDNS problem, probably on my Juniper SSG5. This will
> initially have to wait until Juniper gets back to me, or I corner some
> of their developers at IETF in a couple weeks. Alternatively I
> replace the SSG5...
>
> And I change my registry to one that supports DNSSEC.
>
> Commenting all the lines about DNSSEC does not seem to totally stop
> it, as I see the following message after restarting named:
>
> Mar 3 07:48:45 onlo named[7049]: managed-keys-zone ./IN/external:
> loaded serial 352
>
> And eventhough rigel and klovia were restarted with all the DNSSEC
> lines commented out, I am still getting the 'no valid RRSIG' messages
> for htt. I suspect I am dealing with defaults here and will have to
> explicitly state:
>
> dnssec-enable no;
> dnssec-validation no;
Still getting the loading of managed-keys-zone, but now I get resolution
for htt. on the caching server. I see much testing ahead of me, as
there is no firewall between rigel and klovia. This at least will allow
me to launch klovia as my new mail server as I work out the DNSSEC
related items.
>
> Anything else I need to do to really turn dnssec off for now?
Still wonder what will stop the manage-keys-zone loading.
More information about the bind-users
mailing list