Re: Little help about named needed

To: netbsd-users%NetBSD.org@localhost
Subject: Re: Little help about named needed
From: Matthias Scheler <tron%zhadum.org.uk@localhost>
Date: Sun, 19 Jun 2011 08:11:37 +0100

On Sat, Jun 18, 2011 at 10:50:28PM -0400, Steven Bellovin wrote:
> > The latest BIND in "netbsd-5" enables DNSSEC by default. This caused
> > problems for me when I was using upstream name servers. Without them
> > it works fine.
> 
> What sort of problems?

Lots of messages like these:

Mar 16 15:51:45 colwyn named[151]: error (broken trust chain) resolving 
'www.goggle.de/A/IN': 216.239.38.10#53
Mar 16 15:51:45 colwyn named[151]: error (broken trust chain) resolving 
'www.goggle.de/A/IN': 216.239.36.10#53

And as a result name resolution mostly stopped working.

> > You can of course also put "dnssec-enable no;" in the global options
> > section of "named.conf".
> > 
> We should certainly build it with support included; whether or not
> it should be turned on by default is of course another matter.

Let me correct my statement a bit:
The "named.conf" that we ship has it enabled by default. I don't think
the binary has.

        Kind regards

-- 
Matthias Scheler                                  http://zhadum.org.uk/

References:
- Little help about named needed
  - From: Dima Veselov
- Re: Little help about named needed
  - From: Manuel Bouyer
- Re: Little help about named needed
  - From: Matthias Scheler
- Re: Little help about named needed
  - From: Steven Bellovin

Prev by Date: Re: Little help about named needed
Next by Date: recommendation for all-in-one pc?
Previous by Thread: Re: Little help about named needed
Next by Thread: recommendation for all-in-one pc?
Indexes:

Home | Main Index | Thread Index | Old Index