proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?
Doug Barton
dougb at dougbarton.us
Tue May 10 03:11:54 UTC 2011
On 05/09/2011 19:32, dchilton+bind at bestmail.us wrote:
> Hi.
>
> My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing
> as DNSSEC-valid.
>
> I've both internal and external views:
>
> -- internal is authoritative and provides recursion for LAN clients
> -- external serves only as an authoritative hidden-primary feeding
> slaves via AXFR.
Step 1 should be to separate those functions into separate processes.
You're adding completely unnecessary complexity trying to shoehorn 2
substantially different features into the same process.
> for known-bad domains 'dig domain.com' hesitates for a bit, then returns
> SERVFAIL -- no DATA.
It's not clear at all what you are defining as "known bad" here.
www.adobe.com resolves just fine for me with or without +dnssec because
adobe.com is not signed.
> Shouldn't the "+dnssec" case for known-bad be returning DATA?
Known-bad in DNSSEC terms means a domain that is signed, but the
signatures do not validate. In that case the queries should not return
data.
> Also, I'm unlcear about the proper use for validation. I *want* to
> validate, but have the DATA nonetheless returned, with appropriate FLAGS
> so that, e.g., Firefox + DNSSEC-extension can (1) resolve the domain,
> and (2) 'report' the DNSSEC state in-browser.
That's not at all how DNSSEC works, see above.
> The way things are working now, with validation enabled and NO DATA
> returned, domains simply don't resolve at all -- and, of course, the
> browser displays a failure.
>
> Is my expected usage _not_ appropriate?
No, it isn't; however the fact that un-signed domains aren't returning
data either is a problem. Split the features you described above into
separate servers, remove the views stuff on the resolver, and try again.
hth,
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the bind-users
mailing list