How to disable DNSSEC/EDNS for lwresd

Tomas Hozza thozza at redhat.com
Wed Apr 30 07:44:18 UTC 2014


----- Original Message -----
> 
> In message <483759859.6291670.1398781076480.JavaMail.zimbra at redhat.com>,
> Tomas H
> ozza writes:
> > Hi.
> > 
> > I'm trying to disable DNSSEC/EDNS for the lwresd using the
> > following lwresd.conf:
> > 
> > options {
> > 	directory "/var/named/";
> > 
> > 	dnssec-enable no;
> > 	dnssec-validation no;
> > 
> > 	pid-file "/run/named/lwresd.pid";
> > 	session-keyfile "/run/named/session.key";
> > };
> > 
> > lwres {
> > 	search {example1.;};
> > 	ndots 1;
> > };
> > 
> > But it seems that the 'dnssec-enable no;' statement has no
> > influence on the EDNS usage in queries sent by lwresd.
> 
> "dnssec-enable no;" controls how named responds to DO=1 queries.
> It is a no-op to lwresd as it is not processing DNS requests.
>  
> > I was able to disable EDNS when lwres is run as named
> > using:
> > 
> > server 0.0.0.0/0 {
> >         edns no;
> > };
> > 
> > server ::/0 {
> >         edns no;
> > };
> 
> Just add the server clauses to lwresd.conf.
> 
> "lwresd -c lwresd.conf" is running as lwresd
> "lwresd -C resolv.conf" is running as lwresd
> "lwresd" is the same as "lwresd -C /etc/resolv.conf"
> 
> "named -c named.conf" (with a lwres clause) is running as both named and
> lwresd
> "named -c named.conf" (without a lwres clause) is running as just named

Thank you for the explanation. I was apparently running lwresd with pointing
it to resolv.conf instead of lwresd.conf. Everything works fine now.

Regards,
Tomas

> > in the configuration. However I was not able to disable EDNS
> > when running lwresd.
> > 
> > We have a user that would like to disable EDNS to reduce the
> > overhead it adds and improve the performance. The DNSSEC is
> > not a priority for them.
> > 
> > Is there way to disable DNSSEC/EDNS for lwresd?
> > 
> > Thank you in advance.
> > 
> > 
> > Regards,
> > --
> > Tomas Hozza
> > Software Engineer - EMEA ENG Developer Experience
> > 
> > PGP: 1D9F3C2D
> > Red Hat Inc.                               http://cz.redhat.com
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe
> > from this list
> > 
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> 
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com


More information about the bind-users mailing list