RE: Questions about "dnssec validation" statement

2025-03-06 Thread Chris Isaksen 
I haven't tried anything yet as I wanted to make sure I didn't break anything.

I can add the validation no to the zone and named-checkconf and see if it will 
take it.  I'll have to wait until after hours to try it.

Thanks

From: Evan McKinney 
Sent: Thursday, March 6, 2025 8:05 AM
To: Chris Isaksen 
Cc: bind-users@lists.isc.org
Subject: Re: Questions about "dnssec validation" statement

Hi Chris

If you've got your global options set similarly to this
options {
dnssec-validation auto; // Global validation enabled
// ... other options ...
};

Have you been able to try something along the lines of this?
zone "no-dnssec.example" {
type forward;
forwarders { 192.0.2.1; };
validation no;
};

-Evan


On 6 Mar 2025, at 07:56, Chris Isaksen 
mailto:chris.isak...@nysed.gov>> wrote:

I was wondering if dnssec validation could be set to auto in the options 
section and then set it to 'no' in a particular zone?

We would like to use "dnssec validation auto"  but a few forwarding zones we 
have, we know do not use dnssec and queries fail if it's not set to no.

Thanks



Chris Isaksen
System Administrator
Server Support Unit
(518)-473-7580



Confidentiality Notice

This email including all attachments is confidential and intended solely for 
the use of the individual or entity to which it is addressed. This 
communication may contain information that is protected from disclosure under 
State and/or Federal law. Please notify the sender immediately if you have 
received this communication in error and delete this email from your system. If 
you are not the intended recipient you are notified that disclosing, copying, 
distributing or taking any action in reliance on the contents of this 
information is strictly prohibited.

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Just a suspicion for now: Memory leak in 9.20.4?

2025-03-06 Thread Borja Marcos via bind-users 


> On 14 Feb 2025, at 09:49, Borja Marcos via bind-users 
>  wrote:
> 
> Signed PGP part
> 
> 
>> On 13 Feb 2025, at 14:46, Ondřej Surý  wrote:
>> 
>> There’s official KB article on the topic: 
>> https://kb.isc.org/docs/bind-memory-consumption-explained - you actually 
>> need to use jeprof and understand the BIND 9 internals.
> 
> I will keep monitoring and let you know.

After launching the stone, a small update.

I think it is a FreeBSD bug. Some 9.20.x behavior might be triggering a worst 
case condition.

The bug would be this one: Note that I am running FreeBSD 14.2, but I think it 
hasn’t been fixed yet.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281471

Sorry about the confusion but well, memory growth was a bt crazy!



Borja.




signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about "dnssec validation" statement

2025-03-06 Thread Evan Hunt 
On Thu, Mar 06, 2025 at 12:56:08PM +, Chris Isaksen wrote:
> I was wondering if dnssec validation could be set to auto in the options
> section and then set it to 'no' in a particular zone?
> 
> We would like to use "dnssec validation auto"  but a few forwarding zones
> we have, we know do not use dnssec and queries fail if it's not set to
> no.

"validate-except { domain1; domain2; ... };"

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users