>> By default, the bind daemon uses the "relative" style (or something
>> similar) when writing dynamic zone files to disk.
>> Guess what... all those "$ORIGIN" lines make it more difficult to
>> parse the f ile by a separate script... ;)
> Truly, you don't wan't to be reading master files. If
Hi,
the "named-compilezone" tool can output zone files in two different styles
(using the -s option):
"full" (suitable for processing by a separate script)
"relative" (more human-readable)
By default, the bind daemon uses the "relative" style (or something similar)
when writing dynamic
Are you using iptables Firewall?
Does the problem only occur on UDP connections to the problematic IP? Or also
on TCP connections to the same IP?
I had similar problems (not with bind) when the connection table of iptables
"state" module were too small.
Iptables started dropping packets, because
Hi Graham,
> Has anybody on-list got a clever(er?) trick? I suppose that 9.10 with
> in-view might make the problem go away.
Instead of notifying all views at once you could just create a "notification
chain", where a view only notifies one other view:
view_1 notifies view_2.
>
>If the zone isn't signed, it shouldn't be trying to validate it as there's
>nothing to validate. Unless this fictional TLD now has a real delegated
>counter-part?
>
>Stuart
Just for clarification:
If a TLD does not exist, it can neither be signed nor unsigned.
And, officially, the mentioned
Hi Daniel,
> You may also try to disable all DNSSEC algorithms for a zone:
> https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
>
> Regards,
> Daniel
Also a nice idea for a workaround :) But it did not work for me.
This is what I tried:
Options {
>> Our customer uses a fictional Toplevel Domain[...]
>
> Can you flip the problem on its head, by signing the fictional TLD and
> deploying managed-keys (or trusted-keys) on the validating resolvers?
>
> Graham
Unfortunately we can't sign the fictional TLD, since we are neither master nor
slave
Hi Chris,
> While you wait for this to become generally available, you can do what I like
> to do for my customers: Use two layers of recursive DNS servers. The first
> layer takes queries from clients, knows about your insecure domains
> (through stub zones, slave zones, or conditional forwardi
Hm... In our case a short lifespan won't be enough.
Our customer uses a fictional Toplevel Domain and migrating the whole
Infrastructure to a new, proper Domain will take him months if not years.
They'll have to adjust every DNS Config of every Server, every Webservice they
have running interna
Hi Mukund
and thanks a lot for pointing that out!
It is already more than I was hoping for :)
Regards,
Stefan
> BIND will get support for negative trust anchors in 9.11, which will provide
> the feature that you seek. An implementation is now in the master branch.
>
> https://tools.ietf.org
Hi @all,
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
I found that Microsoft's DNS Server has a feature to skip the validation for
som
11 matches
Mail list logo
