DNS/BIND9.11/disable-dnssecについて、ここに記述してください。
https://groups.google.com/forum/#!topic/comp.protocols.dns.bind/xUA3rbsHxtw
On Fri, 4 Jun 2010, Jan Buchholz wrote:
> how i can disable dnssec in the bind resolver ? My firewall don´t let > packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but > this don´t fix the problem. I believe that only disables *serving* DNSSEC records. I think you want 'dnssec-validation no;' Paul
すくなくともこの二つは必要か。
dnssec-enable no; dnssec-validation no;
JINMEI Tatuya / 神明達哉
The DO bit is always set whenever the server includes an EDNS OPT RR (I thought it was based on the specification, but don't remember which sentence of which RFC says so).
So, your only choice is to completely disable EDNS:
server ::/0 { edns no; }; server 0.0.0.0/0 { edns no; };
--- Given that concern about whether or not it's a good idea to always send DO=1 has come up in other contexts I for one would like to see chapter and verse for why doing so is a MUST/SHOULD. If it turns out that DO=1 is not required I'd like to see a BIND option to turn it off.
Regarding the OP's situation, there are at least 2 problems. The first being putting a firewall in front of a name server to start with, and the second being that the firewall is broken. However I can think of other reasons to want DO=0, especially in the age where having DNSSEC records is going to be increasingly more common.
I have a guess at why ISC would want to enable it by default, and even in the presence of an option to turn it off I'm still Ok with that default. But if it's not a standards requirement to have it on, giving the admin a choice would be a welcome thing.
Doug Barton