I'm happy to go with the change and with the logging of fails and if a test
resolver were set up, I'd change over to that
On 27 March 2013 20:09, Andy Smith <andy@???> wrote:
> Hi Chris,
>
> On Wed, Mar 27, 2013 at 07:07:56PM +0000, Chris Dennis wrote:
> > I have a VPS running Debian squeeze, and it runs bind9 to do some
> > simple DNS serving for a couple of domain names.
>
> This is about BitFolk's resolvers, the things you put in
> /etc/resolv.conf in order to resolve host names to IP addresses and
> so on. It's nothing to do with any DNS server you might be running
> yourself to provide authoritative DNS service for your domain(s).
>
> > Do I need to make any changes to use DNSSEC?
>
> No; after DNSSEC validation is enabled, if a domain has DNSSEC
> enabled but it's broken you will get SERVFAIL back (and no DNS
> answers).
>
> This is a deliberately-broken domain:
>
> $ dig -t a www.dnssec-failed.org
>
> ; <<>> DiG 9.6-ESV-R4 <<>> -t a www.dnssec-failed.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2300
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org. IN A
>
> ;; Query time: 162 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Mar 27 20:03:16 2013
> ;; MSG SIZE rcvd: 39
>
> Without a validating resolver:
>
> $ dig -t a www.dnssec-failed.org
>
> ; <<>> DiG 9.7.3 <<>> -t a www.dnssec-failed.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24931
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org. IN A
>
> ;; ANSWER SECTION:
> www.dnssec-failed.org. 7200 IN A 69.252.208.135
> www.dnssec-failed.org. 7200 IN A 69.252.216.215
>
> ;; AUTHORITY SECTION:
> dnssec-failed.org. 7200 IN NS dns105.comcast.net.
> dnssec-failed.org. 7200 IN NS dns101.comcast.net.
> dnssec-failed.org. 7200 IN NS dns102.comcast.net.
> dnssec-failed.org. 7200 IN NS dns103.comcast.net.
> dnssec-failed.org. 7200 IN NS dns104.comcast.net.
>
> ;; Query time: 91 msec
> ;; SERVER: 85.119.80.232#53(85.119.80.232)
> ;; WHEN: Wed Mar 27 20:02:42 2013
> ;; MSG SIZE rcvd: 187
>
> > Should I replace bind9 with unbound?
>
> No; Unbound is not an authoritative nameserver, it's a resolver
> (only).
>
> If you for some reason wanted to run your own resolver instead of
> using the BitFolk ones then you might install it.
>
> I suggested that people could install it if they liked, because some
> people are keen to have a DNSSEC validating resolver faster than I
> am willing to enable it on the BitFolk ones.
>
> > Will things break for me if you turn on this validation thingy and
> > I haven't made appropriate changes?
>
> Yes, no: There are no changes for you to make.
>
> A non-zero number of domain names on the Internet are bound to have
> enabled DNSSEC incorrectly, so there will be some degree of breakage
> which will be confusing for some people, as they will be unable to
> replicate that breakage with non-validating resolvers.
>
> Cheers,
> Andy
>
> --
> http://bitfolk.com/ -- No-nonsense VPS hosting
>
> > I'd be interested to hear any (even two word) reviews of their sofas…
> Provides seating. — Andy Davidson
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEAREDAAYFAlFTUhAACgkQIJm2TL8VSQu1swCfQoNZmXtrhX8Xro1gcJIEeQH+
> ygcAoNm8Sg3TDz+zA566j3JuDRndpUiz
> =HhVz
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
--
Keith Williams
Keith's Place
www.keiths-place.co.uk
Tailor Made English
www.tmenglish.org
West Norfolk RSPCA
www.westnorfolkrspca.org.uk
