How to disable DNSSEC/EDNS for lwresd

Mark Andrews marka at isc.org
Wed Apr 30 05:09:10 UTC 2014


In message <483759859.6291670.1398781076480.JavaMail.zimbra at redhat.com>, Tomas H
ozza writes:
> Hi.
> 
> I'm trying to disable DNSSEC/EDNS for the lwresd using the
> following lwresd.conf:
> 
> options {
> 	directory "/var/named/";
> 
> 	dnssec-enable no;
> 	dnssec-validation no;
> 
> 	pid-file "/run/named/lwresd.pid";
> 	session-keyfile "/run/named/session.key";
> };
> 
> lwres {
> 	search {example1.;};
> 	ndots 1;
> };
> 
> But it seems that the 'dnssec-enable no;' statement has no
> influence on the EDNS usage in queries sent by lwresd.

"dnssec-enable no;" controls how named responds to DO=1 queries.
It is a no-op to lwresd as it is not processing DNS requests.
 
> I was able to disable EDNS when lwres is run as named
> using:
> 
> server 0.0.0.0/0 {
>         edns no;
> };
> 
> server ::/0 {
>         edns no;
> };

Just add the server clauses to lwresd.conf.

"lwresd -c lwresd.conf" is running as lwresd
"lwresd -C resolv.conf" is running as lwresd
"lwresd" is the same as "lwresd -C /etc/resolv.conf"

"named -c named.conf" (with a lwres clause) is running as both named and lwresd
"named -c named.conf" (without a lwres clause) is running as just named

> in the configuration. However I was not able to disable EDNS
> when running lwresd.
> 
> We have a user that would like to disable EDNS to reduce the
> overhead it adds and improve the performance. The DNSSEC is
> not a priority for them.
> 
> Is there way to disable DNSSEC/EDNS for lwresd?
> 
> Thank you in advance.
> 
> 
> Regards,
> -- 
> Tomas Hozza
> Software Engineer - EMEA ENG Developer Experience
> 
> PGP: 1D9F3C2D
> Red Hat Inc.                               http://cz.redhat.com
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list