I'm happy to go with the change and with the logging of fails and if a test resolver were set up, I'd change over to that


On 27 March 2013 20:09, Andy Smith <andy@bitfolk.com> wrote:
Hi Chris,

On Wed, Mar 27, 2013 at 07:07:56PM +0000, Chris Dennis wrote:
> I have a VPS running Debian squeeze, and it runs bind9 to do some
> simple DNS serving for a couple of domain names.

This is about BitFolk's resolvers, the things you put in
/etc/resolv.conf in order to resolve host names to IP addresses and
so on. It's nothing to do with any DNS server you might be running
yourself to provide authoritative DNS service for your domain(s).

> Do I need to make any changes to use DNSSEC?

No; after DNSSEC validation is enabled, if a domain has DNSSEC
enabled but it's broken you will get SERVFAIL back (and no DNS
answers).

This is a deliberately-broken domain:

    $ dig -t a www.dnssec-failed.org

    ; <<>> DiG 9.6-ESV-R4 <<>> -t a www.dnssec-failed.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2300
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.dnssec-failed.org.         IN      A

    ;; Query time: 162 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Wed Mar 27 20:03:16 2013
    ;; MSG SIZE  rcvd: 39

Without a validating resolver:

    $ dig -t a www.dnssec-failed.org

    ; <<>> DiG 9.7.3 <<>> -t a www.dnssec-failed.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24931
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.dnssec-failed.org.         IN      A

    ;; ANSWER SECTION:
    www.dnssec-failed.org.  7200    IN      A       69.252.208.135
    www.dnssec-failed.org.  7200    IN      A       69.252.216.215

    ;; AUTHORITY SECTION:
    dnssec-failed.org.      7200    IN      NS      dns105.comcast.net.
    dnssec-failed.org.      7200    IN      NS      dns101.comcast.net.
    dnssec-failed.org.      7200    IN      NS      dns102.comcast.net.
    dnssec-failed.org.      7200    IN      NS      dns103.comcast.net.
    dnssec-failed.org.      7200    IN      NS      dns104.comcast.net.

    ;; Query time: 91 msec
    ;; SERVER: 85.119.80.232#53(85.119.80.232)
    ;; WHEN: Wed Mar 27 20:02:42 2013
    ;; MSG SIZE  rcvd: 187

> Should I replace bind9 with unbound?

No; Unbound is not an authoritative nameserver, it's a resolver
(only).

If you for some reason wanted to run your own resolver instead of
using the BitFolk ones then you might install it.

I suggested that people could install it if they liked, because some
people are keen to have a DNSSEC validating resolver faster than I
am willing to enable it on the BitFolk ones.

> Will things break for me if you turn on this validation thingy and
> I haven't made appropriate changes?

Yes, no: There are no changes for you to make.

A non-zero number of domain names on the Internet are bound to have
enabled DNSSEC incorrectly, so there will be some degree of breakage
which will be confusing for some people, as they will be unable to
replicate that breakage with non-validating resolvers.

Cheers,
Andy

--
http://bitfolk.com/ -- No-nonsense VPS hosting

> I'd be interested to hear any (even two word) reviews of their sofas…
Provides seating.         — Andy Davidson

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAlFTUhAACgkQIJm2TL8VSQu1swCfQoNZmXtrhX8Xro1gcJIEeQH+
ygcAoNm8Sg3TDz+zA566j3JuDRndpUiz
=HhVz
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users




--
Keith Williams
 
Keith's Place  www.keiths-place.co.uk
 
Tailor Made English   www.tmenglish.org
 
West Norfolk RSPCA www.westnorfolkrspca.org.uk