[Dnssec-trigger] [dns-operations] unbound-bind chain causing validation failures on synthesized records
Paul Wouters
paul at cypherpunks.ca
Mon Jul 9 23:49:17 UTC 2012
On Tue, 10 Jul 2012, Mark Andrews wrote:
> BIND bug, the "NOQNAME" NSEC/NSEC3 proof extraction is a side effect
> of validation.
Do you have a tracking/reference number for me?
> That said if you are talking through a recursive server that server
> should be validating as there are situations that are not recoverable
> without it.
So are you saying that even if the bug is fixed, bind does not support:
options {
dnssec-enable yes;
dnssec-validation no;
[...]
}
If so, should those options not be merged into one option? Or should
named-checkconf return a failure for such a configuration?
Does anyone know how prevalent these configurations are?
I'm CC:ing the dnssec-trigger list, as it might need to come up with a
new probe to detect this.
Paul
More information about the dnssec-trigger
mailing list