[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: Re: dnssec fails for domain with dnssec disabled
From: Viktor Dukhovni <postfix-users () dukhovni ! org>
Date: 2019-02-23 18:10:06
Message-ID: 20190223181005.GE916 () straasha ! imrryr ! org
[Download RAW message or body]
On Sat, Feb 23, 2019 at 06:20:02PM +0100, Benny Pedersen wrote:
> sorry for OT but
>
> named[29088]: validating ebokssmtp.e-boks.dk/A: no valid signature found
> named[29088]: validating advisering.e-boks.dk/MX: no valid signature found
> named[29088]: validating e-boks.dk/SOA: no valid signature found
> named[29088]: validating 9HUFO4E59MN3J8OUO77E3P7B5T38AIAN.e-boks.dk/NSEC3: no valid signature found
> named[29088]: validating advisering.e-boks.dk/TXT: no valid signature found
> named[29088]: validating advisering.e-boks.dk/A: no valid signature found
> named[29088]: validating smtp-in.e-boks.dk/A: no valid signature found
> named[29088]: validating e-boks.dk/NS: no valid signature found
> named[29088]: validating www.e-boks.dk/CNAME: no valid signature found
> named[29088]: validating exc2001._domainkey.advisering.e-boks.dk/TXT: no valid signature found
I don't know why your BIND resolver is attempting to validate
signatures for this domain, though it has DNSKEY records, and
signatures, there are no associated DS records in the parent .dk
zone. It resolves fine here. Perhaps the DS records were present
previously, and since deleted?
In any case, it should be possible to configure named to not validate
any given domain. With "unbound" (my choice of validating resolver),
this can be done via:
server:
domain-insecure: "e-boks.dk"
--
Viktor.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic