NXDOMAIN redirection in BIND 9.9
Jan-Piet Mens
jpmens.dns at gmail.com
Fri Sep 30 10:05:58 UTC 2011
On Fri Sep 30 2011 at 11:50:51 CEST, Hauke Lampe wrote:
> > *except that perhaps those who enable this feature will use it as an excuse to avoid enabling validation, which would be a very bad result, IMO. . .
>
> My reading of the docs says that BIND's NXDOMAIN redirections won't
> break DNSSEC-signed results:
>
> "If the client has requested DNSSEC records (DO=1) and the NXDOMAIN
> response is signed then no substitution will occur."
I fixed my latest post on this after re-reading the ARM: indeed it
shouldn't break DNSSEC.
> I didn't get it to work, yet, though. After enabling the redirect zone,
> BIND goes into an endless loop of zone_timer/zone_maintenance/zone_settimer.
The redirection works, but I too noticed the CPU consumption (and
reported it to bind9-bugs).
-JP
More information about the bind-users
mailing list