disable dnssec in bind resolver

[Mark Andrews]

In message <201006060107.o5617eP4091385 at drugs.dv.isc.org>, Mark Andrews writes:
> 
> In message <4C0AAD2A.4010708 at dougbarton.us>, Doug Barton writes:
> > On 06/05/10 07:22, Mark Andrews wrote:
> > > In message<4C09C562.7030204 at dougbarton.us>, Doug Barton writes:
> > >
> > > The resolver works.  It figures out that it can't make the new style
> > > queries and falls back to the old style queries.  If the user is really
> > > worried they can turn off EDNS and with that DO.
> > 
> > The OP's problem was that his firewall blocked anything with DO=1.
> 
> That was the claim.  I suspect the reality is something different
> and would like to see actual proof that it is not one of the other
> firewall issues.  This is not to say that there are not firewalls
> that choke on DO (when DO was first introduced we saw lookup failures
> due to firewalls blocking it) but given named has been sending DO
> for years it is strange to get a complaint about DO now.

BIND 9.1 sent DO.   Every lookup he made would have been slow
(multiple seconds) if DO was a problem for his firewall.

% grep G_DO 9.?.x/lib/dns/*.c
9.1.x/lib/dns/resolver.c:       rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
9.2.x/lib/dns/message.c:                if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
9.2.x/lib/dns/message.c:                mbz = ps->ttl & ~DNS_MESSAGEEXTFLAG_DO & 0xffff;
9.2.x/lib/dns/resolver.c:       rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
9.3.x/lib/dns/message.c:                if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
9.3.x/lib/dns/message.c:                mbz = ps->ttl & ~DNS_MESSAGEEXTFLAG_DO & 0xffff;
9.3.x/lib/dns/resolver.c:       rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
9.4.x/lib/dns/message.c:                if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
9.4.x/lib/dns/message.c:                mbz = ps->ttl & ~DNS_MESSAGEEXTFLAG_DO & 0xffff;
9.4.x/lib/dns/resolver.c:       rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
9.5.x/lib/dns/message.c:                if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
9.5.x/lib/dns/message.c:                mbz &= ~DNS_MESSAGEEXTFLAG_DO;         /* Known Flags. */
9.5.x/lib/dns/resolver.c:       rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
9.6.x/lib/dns/message.c:                if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
9.6.x/lib/dns/message.c:                mbz &= ~DNS_MESSAGEEXTFLAG_DO;         /* Known Flags. */
9.6.x/lib/dns/resolver.c:       rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
9.7.x/lib/dns/message.c:                if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
9.7.x/lib/dns/message.c:                mbz &= ~DNS_MESSAGEEXTFLAG_DO;         /* Known Flags. */
9.7.x/lib/dns/resolver.c:       rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
% 

> > > It's still a handful of zones that are signed.
> > 
> > But isn't that what we're all working on changing? :)
> >
> > Doug
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org