DNSSEC ISSUE (Msg: Request is not signed)
Mark Andrews
Mark_Andrews at isc.org
Mon Jul 16 06:48:36 UTC 2007
> On Sat, 14 Jul 2007, Mark Andrews wrote:
>
> > Auth servers don't have to set "ad" when responding. Named does
> > no crypto validation when answering from authoritative data.
> >
> > Workarounds are to use a recursion-only view.
>
> Which is exactly what I do; my authoratative nameservers have a
> non-authoratative, resolving view listening on the loopback interface
> that does do the crypto validatation so that OpenSSH can get validated
> fingerprints.
>
> I'm curious as to why this is set up this way, though. Wouldn't it make
> sense that authoratative servers, when loading or fetching the zone
> file, validate the data when loaded and then return responses with the
> AD bit set?
Try that with a very large zone :-)
It may be possible to do just in time validation. We
do this for pending NS RRsets when returning answers
from the cache.
BIND 9.4 needs both dnssec-enable yes; and dnssec-validate yes;.
> cjs
> --
> Curt Sampson <cjs at cynic.net> +81 90 7737 2974
> http://www.starling-software.com
> The power of accurate observation is commonly called cynicism
> by those who have not got it. --George Bernard Shaw
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list