I'm happy to go with the change and with the logging of fails and if a test
resolver were set up, I'd change over to that
On 27 March 2013 20:09, Andy Smith <andy(a)bitfolk.com> wrote:
Hi Chris,
On Wed, Mar 27, 2013 at 07:07:56PM +0000, Chris Dennis wrote:
I have a VPS running Debian squeeze, and it runs
bind9 to do some
simple DNS serving for a couple of domain names.
This is about BitFolk's resolvers, the things you put in
/etc/resolv.conf in order to resolve host names to IP addresses and
so on. It's nothing to do with any DNS server you might be running
yourself to provide authoritative DNS service for your domain(s).
Do I need to make any changes to use DNSSEC?
No; after DNSSEC validation is enabled, if a domain has DNSSEC
enabled but it's broken you will get SERVFAIL back (and no DNS
answers).
This is a deliberately-broken domain:
$ dig -t a
www.dnssec-failed.org
; <<>> DiG 9.6-ESV-R4 <<>> -t a
www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2300
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
;; Query time: 162 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 27 20:03:16 2013
;; MSG SIZE rcvd: 39
Without a validating resolver:
$ dig -t a
www.dnssec-failed.org
; <<>> DiG 9.7.3 <<>> -t a
www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24931
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
;; ANSWER SECTION:
www.dnssec-failed.org. 7200 IN A 69.252.208.135
www.dnssec-failed.org. 7200 IN A 69.252.216.215
;; AUTHORITY SECTION:
dnssec-failed.org. 7200 IN NS
dns105.comcast.net.
dnssec-failed.org. 7200 IN NS
dns101.comcast.net.
dnssec-failed.org. 7200 IN NS
dns102.comcast.net.
dnssec-failed.org. 7200 IN NS
dns103.comcast.net.
dnssec-failed.org. 7200 IN NS
dns104.comcast.net.
;; Query time: 91 msec
;; SERVER: 85.119.80.232#53(85.119.80.232)
;; WHEN: Wed Mar 27 20:02:42 2013
;; MSG SIZE rcvd: 187
Should I replace bind9 with unbound?
No; Unbound is not an authoritative nameserver, it's a resolver
(only).
If you for some reason wanted to run your own resolver instead of
using the BitFolk ones then you might install it.
I suggested that people could install it if they liked, because some
people are keen to have a DNSSEC validating resolver faster than I
am willing to enable it on the BitFolk ones.
Will things break for me if you turn on this
validation thingy and
I haven't made appropriate changes?
Yes, no: There are no changes for you to make.
A non-zero number of domain names on the Internet are bound to have
enabled DNSSEC incorrectly, so there will be some degree of breakage
which will be confusing for some people, as they will be unable to
replicate that breakage with non-validating resolvers.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
I'd be interested to hear any (even two word)
reviews of their sofas…
Provides seating. — Andy Davidson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAlFTUhAACgkQIJm2TL8VSQu1swCfQoNZmXtrhX8Xro1gcJIEeQH+
ygcAoNm8Sg3TDz+zA566j3JuDRndpUiz
=HhVz
-----END PGP SIGNATURE-----
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users