[Dnssec-trigger] [dns-operations] unbound-bind chain causing validation failures on synthesized records

Paul Wouters paul at cypherpunks.ca
Mon Jul 9 23:49:17 UTC 2012


On Tue, 10 Jul 2012, Mark Andrews wrote:

> BIND bug, the "NOQNAME" NSEC/NSEC3 proof extraction is a side effect
> of validation.

Do you have a tracking/reference number for me?

> That said if you are talking through a recursive server that server
> should be validating as there are situations that are not recoverable
> without it.

So are you saying that even if the bug is fixed, bind does not support:

options {
 	dnssec-enable yes;
 	dnssec-validation no;
 	[...]
}

If so, should those options not be merged into one option? Or should
named-checkconf return a failure for such a configuration?

Does anyone know how prevalent these configurations are?

I'm CC:ing the dnssec-trigger list, as it might need to come up with a
new probe to detect this.

Paul



More information about the dnssec-trigger mailing list