Enhancement #292: DNSSEC authoritative nameservers and validating resolvers should be separated - DuckCorp Infrastructure - DuckCorp Projects

Actions

Copy link

Enhancement #292

open

DNSSEC authoritative nameservers and validating resolvers should be separated

Added by Marc Dequènes about 12 years ago. Updated about 7 years ago.

Status:

Blocked

Priority:

Low

Assignee:

Marc Dequènes

Category:

Service :: DNS

Start date:

2012-02-13

Due date:

% Done:

Estimated time:

Patch Available:

Confirmed:

Branch:

Entity:

DuckCorp

Security:

Help Needed:

Yes

Description

According to RFC4035 3.1.6 (The AD and CD Bits in an Authoritative Response), it is normal behavior an authoritative nameserver returns AA without AD flag. In bind9 there is no way to either consider authoritative zones data to be authentic « without further validation », or redo validation (which would be silly while serving the zone outside).

Considered solutions:

on DNS servers: try to use a bind9 view for localhost request, which would not share any zone but act as a recursive validating resolver if possible, or use unbound as validating resolver (in resolv.conf only)
on other servers: use unbound as validating resolver

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DuckCorp » DuckCorp Infrastructure

Custom queries

Enhancement #292

DNSSEC authoritative nameservers and validating resolvers should be separated

Updated by Marc Dequènes about 12 years ago

Updated by Marc Dequènes about 12 years ago

Updated by Marc Dequènes over 11 years ago

Updated by Marc Dequènes about 10 years ago

Updated by Marc Dequènes almost 9 years ago

Updated by Marc Dequènes almost 9 years ago

Updated by Marc Dequènes about 7 years ago