disable dnssec in bind resolver
Mark Andrews
marka at isc.org
Sun Jun 6 01:07:40 UTC 2010
In message <4C0AAD2A.4010708 at dougbarton.us>, Doug Barton writes:
> On 06/05/10 07:22, Mark Andrews wrote:
> > In message<4C09C562.7030204 at dougbarton.us>, Doug Barton writes:
> >
> > The resolver works. It figures out that it can't make the new style
> > queries and falls back to the old style queries. If the user is really
> > worried they can turn off EDNS and with that DO.
>
> The OP's problem was that his firewall blocked anything with DO=1.
That was the claim. I suspect the reality is something different
and would like to see actual proof that it is not one of the other
firewall issues. This is not to say that there are not firewalls
that choke on DO (when DO was first introduced we saw lookup failures
due to firewalls blocking it) but given named has been sending DO
for years it is strange to get a complaint about DO now.
> > It's still a handful of zones that are signed.
>
> But isn't that what we're all working on changing? :)
>
> Doug
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list