<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font size="-1" face="Helvetica, Arial, sans-serif">I manage an
anti-spam DNSBL and I've been running into an issue in recent
years - that I'm FINALLY getting around to asking about. I just
joined this list to ask this question. Also, I checked the
archives, but couldn't find an answer - at least, not one I
understood.</font></p>
<p><font size="-1" face="Helvetica, Arial, sans-serif">So basically,
while most of our users do direct queries and don't have this
issue - some of our larger subscribers RSYNC the
rbldsnd-formatted files, and then they typically run rbldnsd on
the same server as their BIND server that is answering their
DNSBL queries. Then, their invaluement zone names will all end
with "invaluement.local". Typically, their RBLDNSD server is set
up to listen on 127.0.0.2 - and then they use BIND for answering
their DNSBL queries, and so they tell BIND to get its answers
for THOSE invaluement dnsbl queries by doing a DNS forwarder,
telling bind to get the answers for THOSE zones from 127.0.0.2 -
as shown below:</font></p>
<p><font size="-1" face="Helvetica, Arial, sans-serif"><font
color="#800000">zone "invaluement.local" in {<br>
type forward;<br>
forward only;<br>
forwarders { 127.0.0.2; };</font></font><font size="-1"
face="Helvetica, Arial, sans-serif"><font color="#800000"><br>
};</font></font><font size="-1" face="Helvetica, Arial,
sans-serif"><font color="#800000"> </font></font></p>
<p><font size="-1" face="Helvetica, Arial, sans-serif">This works
perfectly - so long as DNSSEC is turned off. And since most of
our subscribers are running a dedicated instance of BIND that is
ONLY used for DNSBL queries, they don't mind turning DNSSEC off.</font></p>
<p><font size="-1" face="Helvetica, Arial, sans-serif">But,
occasionally, we have a customer who cannot turn DNSSEC off. So
I was hoping that THIS command would work:</font></p>
<p><font size="-1" face="Helvetica, Arial, sans-serif"
color="#800000">dnssec-must-be-secure "invaluement.local" no;</font></p>
<p><font size="-1" face="Helvetica, Arial, sans-serif">But it
doesn't seem to be helping at all. Is that command suppose to
disable DNSSEC checking for a particular zone? If yes, what did
I do wrong? If not, what <i>does</i> "dnssec-must-be-secure"
set to "no" do?</font></p>
<p><font size="-1" face="Helvetica, Arial, sans-serif">I've heard
that there is NOT a way to get this to work - and that such
subscribers much use DNS Delegation, instead. But I really wish
this could be done by simply turning off DNSSEC for a <i>particular</i>
zone. That could be useful for MANY various types of internal
zones that need this. But if this is that case, how would that
DNS Delegation look, to get the above forwarding example to work
using delegation instead?</font></p>
<p><font size="-1" face="Helvetica, Arial, sans-serif">Thanks in
advance for your help!<br>
</font></p>
<pre class="moz-signature" cols="72"><font size="-1" face="Helvetica, Arial, sans-serif">--
Rob McEwen, invaluement
</font></pre>
</body>
</html>