[rbldnsd] rblnsd +dnssec for pesudo tld zone

Wed Apr 6 16:43:07 MSD 2011

On 4/6/2011 6:04 AM, Lähteenmäki Mikko wrote:
>
> This is clipped from the post on
> https://lists.isc.org/pipermail/bind-users/2010-October/081577.html
>
> "When I recently installed the root dnssec initial key on our DNS it broke
>
> it's ability to accept responses for forwarded requests for a DNS block
> list zone served by another system.  Other queries aren't affected.  The
> config for the forwarded zone looks like:
>
> zone "dnsbl" {
>           type forward;
>           forward only;
>           forwarders {
>                   10.0.0.124;
>           };
> };
>
> The server at 10.0.0.124 is running rbldnsd.  Queries to our main resolver
> DNS for anything in the 'dnsbl' zone generate a SERVFAIL and BIND logs
> messages similar to the following:
>
> error (chase DS servers) resolving 'sbl.dnsbl/DS/IN': 10.0.0.124#53
>
> If I disable the root initial key, the forwarded queries work again.  I
> think the problem is that our pseudo TLD 'dnsbl' isn't a signed zone or
> something like that.  The RRs for the zone are retrieved from various spam
> BL repositories.
>
> Is there a way to disable dnssec validation on a per-zone basis for
> internal pseudo TLDs?
>
> Antonio Querubin
> 808-545-5282 x3003
> e-mail/xmpp:tony at lava.net  <https://lists.isc.org/mailman/listinfo/bind-users>"
>
>
> We are facing the same problem on our test environment at the moment. Our server is running local BIND and rblnsd
>
> on localhost port XX. Anyone else having this issue?
>
>
> Br
>
>
> Mikko Lahteenmaki
>
> Finland
>

Why do you need to install the root dnssec initial key?  I thought 
normal DNS traffic downloaded those keys as necessary?

dlv.isc.org is different as it is not a root server, so to use 
look-aside, you do need to have the keys for dlv.isc.org installed.

Lyle Giese
LCR Computer Services, Inc.