www.ncbi.nlm.nih.gov / pubmed
Dave Sparro
dsparro at gmail.com
Wed Aug 18 16:48:45 UTC 2010
On 8/18/2010 8:30 AM, Phil Mayers wrote:
> On 18/08/10 13:15, Lightner, Jeff wrote:
>> It comes right up in Firefox but prompts for a username and password.
>
> Do you have DNSSEC validation enabled? Because as per my email, it's a
> DNSSEC problem.
>
> After a bit of investigation, it seems that the problem is a missing
> NSEC/NSEC3 record in the empty reply for:
>
> $ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds
>
> ...since the "ncbi" zone is an unsigned child zone, there needs to be an
> NSEC/NSEC3 record to prove the absence of the DS record, and have a
> secure delegation to an unsigned child zone.
It sounds to me like DNSSEC validation is working as designed. If your
DNS server's users are complaining about not being able to resolve
something that fails validation, the question you need to ask is do your
end-users really want you to do DNSSEC validation for them?
If you're asking for a workaround for when validation fails, there's not
much point to doing the validation.
--
Dave
More information about the bind-users
mailing list