1. רקע:
1.1. ב
http://spectlog.com/content/BIND_named:_error_%28no_valid_DS%29_resolving כתוב:
קוד: |
Default BIND installation on CentOS could not resolve some
known hostnames. However, it did work for most of the other
sites. The configuration used forwarding which resulted
in the error (/var/log/messages) similar to this:
Dec 14 12:21:33 master named[4280]: error (no valid RRSIG)
resolving 'example.com/DS/IN': 192.168.122.1#53
Dec 14 12:21:33 master named[4280]: error (no valid DS)
resolving 'example.com/A/IN': 192.168.122.1#53
The problem was enabled DNSSEC on the local BIND server.
It refused to return non-validated answers. In order to switch
it off, modify /etc/named.conf to use these lines:
dnssec-enable no;
dnssec-validation no;
|
1.2. ב
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#options
כתוב:
קוד: |
dnssec-enable
Enable DNSSEC support in named. Unless set to yes, named
behaves as if it does not support DNSSEC. The default is yes.
dnssec-validation
Enable DNSSEC validation in named. Note dnssec-enable
also needs to be set to yes to be effective. If set to no,
DNSSEC validation is disabled. If set to auto, DNSSEC
validation is enabled, and a default trust-anchor for
the DNS root zone is used. If set to yes, DNSSEC validation is
enabled, but a trust anchor must be manually configured
using a trusted-keys or managed-keys statement.
The default is yes.
|
2. חמש שאלות:
2.1 מהו a default trust-anchor for the DNS root zone?
2.2. מהו a trust anchor that is manually configured using a trusted-keys or
managed-keys?
2.3. האם 2.2 יותר בטוח מ 2.1?
2.4. האם ב 2.1 יש בטחון?
2.5. האם 2.2 מעשי?