proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?
dchilton+bind at bestmail.us
dchilton+bind at bestmail.us
Tue May 10 03:58:23 UTC 2011
Among numerous examples of folks running Bind9 in split-view mode
similar to my config, I found this unanswered DNSSEC-related post,
"DNSSEC Validating Resolver and Views"
https://lists.isc.org/pipermail/bind-users/2010-March/079166.html
which seems, at least, similar to the issue I'm seeing,
" ... This setup has been working for years but is now broken for
clients
querying from a guest network (via the guest view) unless the queries
have checking disabled. ..."
Checking with my server for apparently unsigned 'www.adobe.com',
dig www.adobe.com
; <<>> DiG 9.8.0-P1 <<>> www.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12026
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 0
;; QUESTION SECTION:
;www.adobe.com. IN A
;; Query time: 24 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Mon May 9 13:53:29 2011
;; MSG SIZE rcvd: 31
dig www.adobe.com +cd
; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50312
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 2,
ADDITIONAL: 0
;; QUESTION SECTION:
;www.adobe.com. IN A
;; ANSWER SECTION:
www.adobe.com. 3592 IN CNAME
www.wip4.adobe.com.
www.wip4.adobe.com. 30 IN A 192.150.16.60
;; AUTHORITY SECTION:
wip4.adobe.com. 3337 IN NS
da1gtm001.adobe.com.
wip4.adobe.com. 3337 IN NS
3dns-5.adobe.com.
;; Query time: 52 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Mon May 9 13:53:37 2011
;; MSG SIZE rcvd: 115
shows, as in the referenced post, that checking an dnssec-unsigned
domain @ resolver with dnssec-validation enabled returns DATA only if
that validation is DISABLED.
DCh
More information about the bind-users
mailing list