OpenDNS today announced it has adopted DNSCurve to secure DNS
Niobos
niobos at dest-unreach.be
Thu Feb 25 17:23:58 UTC 2010
On 2010-02-25 17:07, Joe Baptista wrote:
> On Wed, Feb 24, 2010 at 10:23 PM, Alan Clegg <aclegg at isc.org
> <mailto:aclegg at isc.org>> wrote:
>
> Joe Baptista wrote:
>
> Serving signed zones requires signed zone data to serve.
> Validation requires configuration of trust anchors.
>
> To "turn it off",
>
> Don't sign your zones and don't configure trust anchors.
>
>
> Like I said the server is recursive only - no zones served.
Like Alan said (twice):
> Serving signed zones requires signed zone data to serve.
>
> Validation requires configuration of trust anchors.
>
For a recursive resolver, the first sentence is not applicable, but the
second is. To verify DNSSEC answers you need at least one trust anchor
configured. Ideally that would be the root-zone, but since that will
only be signed later this year, most people use a DLV.
If you don't have a trust-anchor configured (the default), BIND will ask
DNSSEC answers, but won't validate them (since it can't), and will thus
accept anything just like a non-DNSSEC resolver..
> Or, if you think you might accidentally sign your zones or configure
> trust anchors, you can:
>
> dnssec-enable no;
> dnssec-validation no;
>
>
> OK - so if I do the above - will that prevent my recursive server from
> doing DNSSEC if it gets information from a DNSSEC signed zone?
Yes and no, It will prevent your resolver from asking DNSSEC answers.
Since DNSSEC is fully backward compatible, the server will not put
DNSSEC RRs in its reply. So your resolver will not know whether a zone
is DNSSEC or not.
Niobos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100225/ecdd342c/attachment.html>
More information about the bind-users
mailing list