On Tuesday, April 20, 2010, 9:25:05 AM, Adam Tkac wrote: > On Mon, Apr 19, 2010 at 03:23:11PM -0400, Al Dunsmuir wrote: >> With that, I finally got a clean setup on F12 by removing the >> forwarders stanza as described in the following BZ: > Well, I've already identified why DNSSEC sometimes doesn't work with > forwarders. > Problem is when forwarder is configured not to return DNSSEC related > resource records (like RRSIGs, DSs, DNSKEYs etc). In BIND it is > configured by "dnssec-enable" option in named.conf. If this option > is set to "no" then BIND can't be used as a forwarder because it won't > return RRSIGs which leads to "must-be-secure" failures. > This is usually not a problem with BIND 9.4 series and newer because > dnssec-conf is set to "yes" per default. But actually it is a problem > with BIND 9.3 and older where it is set to "no". Even if BIND 9.3 is > outdated it is still used on many systems, good example is Red Hat > Enterprise Linux 5 or Debian Etch, both contain BIND 9.3 series. > So if your ISP provider uses that versions, doesn't manually set > dnssec-enable to "yes" and you use that server as a forwarder then > you hit "must-be-secure" errors. Thanks Adam - that explanation makes perfect sense. I'm amazed at how fast F12 on my 64-bit AMD box without forwarders is compared to the nameservers that sympatico.ca (Bell Canada) provides. It sounds like they are also running behind the curve with the upgrade to DNSSEC (or at minimum have blocked useful info). It looks like I'm better off doing the full resolution myself, from speed and security points of view! >> Bug 577639 - bind Stopped Resolving (broken trust chain resolving) >> >> Huzzah! There are no more DNSSEC-related messages being issued by the >> X86_64 F12 bind. >> >> Unfortunately, this didn't cure my F13 bind - I updated 577639 with >> my named log messages. It might help to clear the named cache >> manually to eliminate bogus values, but I could not find the obvious >> directory. A reboot made no difference. >> >> Hopefully Adam Tkac will be able to come up with a bind update (or >> some debug hints) for the final cure. > Please be patient, I'm working on that issue. > Regards, Adam Excellent! When I see an F13 bind update (or under new comment under bz 577639) I'll install and give it a spin. Same for regression tests under F12. BTW, I found a gotcha with having the non-functional named running in F13 - FireFox appears to use 127.0.0.1:53 for name resolution, even if the local DNS server is not in the DNS settings for eth0! Al -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
