proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?
Mark Andrews
marka at isc.org
Tue May 10 04:48:40 UTC 2011
In message <1304999903.6599.1450152113 at webmail.messagingengine.com>, "" writes:
> Among numerous examples of folks running Bind9 in split-view mode
> similar to my config, I found this unanswered DNSSEC-related post,
>
> "DNSSEC Validating Resolver and Views"
> https://lists.isc.org/pipermail/bind-users/2010-March/079166.html
>
> which seems, at least, similar to the issue I'm seeing,
>
> " ... This setup has been working for years but is now broken for
> clients
> querying from a guest network (via the guest view) unless the queries
> have checking disabled. ..."
>
> Checking with my server for apparently unsigned 'www.adobe.com',
>
> dig www.adobe.com
>
> ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12026
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.adobe.com. IN A
>
> ;; Query time: 24 msec
> ;; SERVER: 10.10.10.100#53(10.10.10.100)
> ;; WHEN: Mon May 9 13:53:29 2011
> ;; MSG SIZE rcvd: 31
>
> dig www.adobe.com +cd
>
> ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +cd
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50312
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 2,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.adobe.com. IN A
>
> ;; ANSWER SECTION:
> www.adobe.com. 3592 IN CNAME
> www.wip4.adobe.com.
> www.wip4.adobe.com. 30 IN A 192.150.16.60
>
> ;; AUTHORITY SECTION:
> wip4.adobe.com. 3337 IN NS
> da1gtm001.adobe.com.
> wip4.adobe.com. 3337 IN NS
> 3dns-5.adobe.com.
>
> ;; Query time: 52 msec
> ;; SERVER: 10.10.10.100#53(10.10.10.100)
> ;; WHEN: Mon May 9 13:53:37 2011
> ;; MSG SIZE rcvd: 115
>
> shows, as in the referenced post, that checking an dnssec-unsigned
> domain @ resolver with dnssec-validation enabled returns DATA only if
> that validation is DISABLED.
What does "dig DS adobe.com" return?
> DCh
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list