Insecurity proof failed
Borja Marcos
borjam at sarenet.es
Tue Mar 12 13:49:17 UTC 2024
> On 12 Mar 2024, at 13:36, Mark Andrews <marka at isc.org> wrote:
>
> Have you disabled EDNS to these servers in named.conf? DNSSEC responses are only returned
> if DO=1 is set in the request. Named can learn that a server doesn’t support EDNS if it doesn’t
> return EDNS responses consistently to EDNS requests. If that happens named will send plain DNS
> requests.
Gosh. YESSS!!
I had added those four DNS servers due to some nonsense with eset.com <http://eset.com/>, the AV company. I will review that.
I had to do that in the past because of authoritative servers that simply do not answer (some braindead firewall
involved, probably) to EDNS options or cookies.
Thank you!
Borja.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240312/6a3de71a/attachment.sig>
More information about the bind-users
mailing list