Actions
Enhancement #292
open
DNSSEC authoritative nameservers and validating resolvers should be separated
Start date:
2012-02-13
Due date:
% Done:
0%
Estimated time:
Patch Available:
No
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
No
Help Needed:
Yes
Description
According to RFC4035 3.1.6 (The AD and CD Bits in an Authoritative Response), it is normal behavior an authoritative nameserver returns AA without AD flag. In bind9 there is no way to either consider authoritative zones data to be authentic « without further validation », or redo validation (which would be silly while serving the zone outside).
Considered solutions:- on DNS servers: try to use a bind9 view for localhost request, which would not share any zone but act as a recursive validating resolver if possible, or use unbound as validating resolver (in resolv.conf only)
- on other servers: use unbound as validating resolver
Updated by Marc Dequènes about 12 years ago
Maybe having unbound listen on 127.0.0.1, have resolv.conf use it, and bind9 servers always listen only on external IPs would be a simpler and an easier to maintain configuration (i'm less and less thinking a view could help because it still has to revolve which probably will become an impossible request loop).
Updated by Marc Dequènes about 12 years ago
- Status changed from New to In Progress
On machines using DHCP, using unbound and resolconf should be fine.
Updated by Marc Dequènes about 10 years ago
- Tracker changed from Bug to Enhancement
- Priority changed from Normal to Low
Updated by Marc Dequènes almost 9 years ago
- Blocks deleted (Enhancement #273: DNS-secured CERTs using TLSA)
Updated by Marc Dequènes about 7 years ago
- Status changed from In Progress to Blocked
Actions