disable dnssec in bind resolver
Doug Barton
dougb at dougbarton.us
Sat Jun 5 19:54:18 UTC 2010
On 06/04/10 21:58, Paul Vixie wrote:
> Doug Barton<dougb at dougbarton.us> writes:
>
>> With my business hat on though I can see at least 2 possible use cases for
>> DO=0. The first being related to this thread, "I can't/won't fix/remove the
>> firewall today, I just want my resolver to work."
>
> it works. it's just slower because it has to fall back. this is one of the
> reasons we fall back to BUFSIZE=512 before falling all the way back to DNS
> (that is, turning EDNS off all together.)
The OP's problem was that the firewall between his resolving name server
and "the cloud" blocks packets with DO=1. Now admittedly this is a
special kind of stupidity on the firewall's part ...
>> In all fairness, I don't have any actual clients telling me that DO=1 is
>> a problem for them, this is pure speculation on my part; ...
>
> yes, i know that, because i'd see the other side of it if it was going on.
Right-O. OTOH discussion/thought about the problem now, before it turns
into a crisis, (probably) can't hurt anything. :)
Doug
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
More information about the bind-users
mailing list