Disabling DNSSEC validation per zone?

Hauke Lampe list+bindusers at hauke-lampe.de
Sat Aug 29 22:30:03 UTC 2009

I am looking for way to disable DNSSEC lookaside validation for a given
zone. Would this be possible with BIND already or do I need to file a
feature request (and where)?

My reason is that we use a zone "example.net" for internal hosts, served
by an internal nameserver and configured as a "forward" zone on the

For any query to this zone, BIND tries to look up
example.net.dlv.isc.org DLV records. If the external internet connection
is down and the DLV record not cached, internal hostname resolution
fails because BIND cannot prove the zone's insecure state.

BIND has a configuration setting which does something similar:

| dnssec-must-be-secure
|     Specify hierarchies which must be or may not be secure (signed and
|     validated). If yes, then named will only accept answers if they
|     are secure. If no, then normal DNSSEC validation applies allowing
|     for insecure answers to be accepted. The specified domain must be
|     under a trusted-key or dnssec-lookaside must be active.

I'd like to have a third option to disable normal DNSSEC validation for
a known-insecure zone.

On a related note, will the ISC's DLV zone be available for AXFR?
It used to be but isn't anymore.

Because of the importance of DLV for any name resolution (it effectively
is a root zone), I would like to mirror the zone on my own servers and
configure the resolvers to use them in a "forward first" configuration.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090830/ee9212ab/attachment.bin>

More information about the bind-users mailing list