[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: named stops resolving anything -- dnssec issue



On Sun, Apr 05, 2009 at 01:56:47PM -0400, Chuck Anderson wrote:
> On Sun, Apr 05, 2009 at 12:32:37PM -0400, Jonathan Kamens wrote:
> > On 04/05/2009 12:04 PM, Chuck Anderson wrote:
> >> Because DNSSEC is still in it's infancy w.r.t. production deployment
> >> on the Internet.  The powers that be still haven't signed the root
> >> zone, and most TLD zones aren't signed either.  So we have to live
> >> with the hack known as DLV for now, and there isn't much robustness in
> >> that service yet.
> >>    
> > Then Fedora shouldn't be shipping bind RPMs that turn DNSSEC validation  
> > on, should it?  Or perhaps dnssec-must-be-secure can be used in  
> > named.conf to configure in such a way that named tries DNSSEC validation  
> > but allows the query to proceed (with an error message logged) even if  
> > it fails?
> 
> Despite my initial enthusiasm for enabling DNSSEC by default in 
> Fedora, I tend to agree with you now that we should probably keep it 
> off by default for a while longer.  It is dead simple to turn off/on 
> though.  See the "dnssec-configure" command, which works for both BIND 
> and Unbound.

BTW, if anyone would like to follow this issue further, you can find 
the discussion on the dns-operations list:

https://lists.dns-oarc.net/mailman/listinfo/dns-operations


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]