disable dnssec for particular domain
dot at dotat.at
Wed Feb 7 11:59:56 UTC 2018
Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
> the name is "testa.eu".
OK, let's dig it (trimmed for relevance):
; <<>> DiG 9.13.0-dev <<>> +multiline +dnssec testa.eu
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39666
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
So we know two things from this: the domain doesn't exist, and it is not
an authenticated denial of existence - no AD flag. So you should be OK to
have a private testa.eu domain without DNSSEC validation problems.
Looking in the AUTHORITY section...
4EIKQ8ORL4U4NTG72QEDRA6P3NDA1UNC.eu. 589 IN NSEC3 1 1 1 5CA1AB1E (
NS DS RRSIG )
$ NSEC3 1 1 1 5CA1AB1E *.eu
*.eu NSEC3 1 1 1 5CA1AB1E 4EIO9SO8DATCD8U1KI8ATQ6K5UTE1QCS
This NSEC3 record proves there is no wildcard (observe the hash from my
NSEC3 utility is lexically between the two hashes above).
GLIBHU0LF7IH1TGCCS68E3R5508AKBFR.eu. 589 IN NSEC3 1 1 1 5CA1AB1E (
NS DS RRSIG )
$ NSEC3 1 1 1 5CA1AB1E testa.eu
testa.eu NSEC3 1 1 1 5CA1AB1E GLIBUAUN6HLU7OONLEAJE4PFAHE8CFEU
This NSEC3 record proves there is no signed delegation for testa.eu. There
is an opt-out bit which means that there can be any unsigned delegations
with hashes between GLIBH... and GLIJ3...
QBQ65Q6097OCPPR0EUCQNSC1FHE073UA.eu. 589 IN NSEC3 1 1 1 5CA1AB1E (
NS SOA RRSIG DNSKEY NSEC3PARAM )
$ NSEC3 1 1 1 5CA1AB1E eu
eu NSEC3 1 1 1 5CA1AB1E QBQ65Q6097OCPPR0EUCQNSC1FHE073UA
This is the closest encloser proof, identifying the .eu zone apex, which
you can tell from the type bitmap as well as the matching hashes.
So according to my understanding, a local testa.eu zone should work ok.
Letsa testa it. I have configured an empty zone on my authoritative view,
with a static-stub version in the recursive view. This is a cunning hack
to make my server validate its local authoritative zones, which I use for
all the real zones on the server.
$ named-checkconf -l | grep testa
testa.eu IN rec static-stub
testa.eu IN auth master
$ dig testa.eu soa
; <<>> DiG 9.13.0-dev <<>> testa.eu soa
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38193
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Oh dear! As you said, it doesn't work!
I think this warrants further investigation...
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Rockall, Malin, Hebrides, Bailey: West or southwest 5 to 7, occasionally gale
8 in Hebrides and Bailey. Very rough or high, occasionally rough in Malin.
Rain then showers, becoming wintry and squally except in Malin. Good,
More information about the bind-users