DNSSEC ISSUE (Msg: Request is not signed)
Curt Sampson
cjs at cynic.net
Mon Jul 16 05:40:04 UTC 2007
On Sat, 14 Jul 2007, Mark Andrews wrote:
> Auth servers don't have to set "ad" when responding. Named does
> no crypto validation when answering from authoritative data.
>
> Workarounds are to use a recursion-only view.
Which is exactly what I do; my authoratative nameservers have a
non-authoratative, resolving view listening on the loopback interface
that does do the crypto validatation so that OpenSSH can get validated
fingerprints.
I'm curious as to why this is set up this way, though. Wouldn't it make
sense that authoratative servers, when loading or fetching the zone
file, validate the data when loaded and then return responses with the
AD bit set?
cjs
--
Curt Sampson <cjs at cynic.net> +81 90 7737 2974
http://www.starling-software.com
The power of accurate observation is commonly called cynicism
by those who have not got it. --George Bernard Shaw
More information about the bind-users
mailing list