How to disable DNSSEC/EDNS for lwresd
Tomas Hozza
thozza at redhat.com
Wed Apr 30 07:44:18 UTC 2014
----- Original Message -----
>
> In message <483759859.6291670.1398781076480.JavaMail.zimbra at redhat.com>,
> Tomas H
> ozza writes:
> > Hi.
> >
> > I'm trying to disable DNSSEC/EDNS for the lwresd using the
> > following lwresd.conf:
> >
> > options {
> > directory "/var/named/";
> >
> > dnssec-enable no;
> > dnssec-validation no;
> >
> > pid-file "/run/named/lwresd.pid";
> > session-keyfile "/run/named/session.key";
> > };
> >
> > lwres {
> > search {example1.;};
> > ndots 1;
> > };
> >
> > But it seems that the 'dnssec-enable no;' statement has no
> > influence on the EDNS usage in queries sent by lwresd.
>
> "dnssec-enable no;" controls how named responds to DO=1 queries.
> It is a no-op to lwresd as it is not processing DNS requests.
>
> > I was able to disable EDNS when lwres is run as named
> > using:
> >
> > server 0.0.0.0/0 {
> > edns no;
> > };
> >
> > server ::/0 {
> > edns no;
> > };
>
> Just add the server clauses to lwresd.conf.
>
> "lwresd -c lwresd.conf" is running as lwresd
> "lwresd -C resolv.conf" is running as lwresd
> "lwresd" is the same as "lwresd -C /etc/resolv.conf"
>
> "named -c named.conf" (with a lwres clause) is running as both named and
> lwresd
> "named -c named.conf" (without a lwres clause) is running as just named
Thank you for the explanation. I was apparently running lwresd with pointing
it to resolv.conf instead of lwresd.conf. Everything works fine now.
Regards,
Tomas
> > in the configuration. However I was not able to disable EDNS
> > when running lwresd.
> >
> > We have a user that would like to disable EDNS to reduce the
> > overhead it adds and improve the performance. The DNSSEC is
> > not a priority for them.
> >
> > Is there way to disable DNSSEC/EDNS for lwresd?
> >
> > Thank you in advance.
> >
> >
> > Regards,
> > --
> > Tomas Hozza
> > Software Engineer - EMEA ENG Developer Experience
> >
> > PGP: 1D9F3C2D
> > Red Hat Inc. http://cz.redhat.com
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe
> > from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
More information about the bind-users
mailing list