Re: named stops resolving anything -- dnssec issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Apr 05, 2009 at 12:32:37PM -0400, Jonathan Kamens wrote:
> On 04/05/2009 12:04 PM, Chuck Anderson wrote:
>> Because DNSSEC is still in it's infancy w.r.t. production deployment
>> on the Internet.  The powers that be still haven't signed the root
>> zone, and most TLD zones aren't signed either.  So we have to live
>> with the hack known as DLV for now, and there isn't much robustness in
>> that service yet.
>>    
> Then Fedora shouldn't be shipping bind RPMs that turn DNSSEC validation  
> on, should it?  Or perhaps dnssec-must-be-secure can be used in  
> named.conf to configure in such a way that named tries DNSSEC validation  
> but allows the query to proceed (with an error message logged) even if  
> it fails?

Despite my initial enthusiasm for enabling DNSSEC by default in 
Fedora, I tend to agree with you now that we should probably keep it 
off by default for a while longer.  It is dead simple to turn off/on 
though.  See the "dnssec-configure" command, which works for both BIND 
and Unbound.

-- 
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-test-list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux