disable dnssec for particular domain
Reindl Harald
h.reindl at thelounge.net
Wed Feb 7 11:12:02 UTC 2018
Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:
>> On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
>>> what's the difference, when the domain doesn't exist?
>>>
>>> is it because .eu is signed?
>
> On 06.02.18 16:35, Ray Bellis wrote:
>> Perhaps, although I'm not sure why given that .eu is signed with NSEC3
>> and opt-out.
>>
>> Are you *sure* that the domain doesn't now actually exist in the DNS?
>
> yes. even web whois shows no 'nameserver' information.
>
> the name is "testa.eu".
> I'm not good at dnssec to find out more
probably it's just a stupid idea to have no namservers instead some
fake-nameserver without DS records when you override the domain locally
anyways
my "rhsoft.net" domain on local networks also has nothing in common with
the public nameservers
https://dnssec-debugger.verisignlabs.com/testa.eu
Found 3 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
DS=19036/SHA-256 verifies DNSKEY=19036/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
eu
Found 1 DS records for eu in the . zone
DS=59479/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
Found 2 DNSKEY records for eu
DS=59479/SHA-256 verifies DNSKEY=59479/SEP
Found 2 RRSIGs over DNSKEY RRset
RRSIG=43743 and DNSKEY=43743 verifies the DNSKEY RRset
Zone eu (2600:2000:3004::1) returns NXDOMAIN for testa.eu
More information about the bind-users
mailing list