Disabling DNSSEC validation per zone?

Mark Andrews marka at isc.org
Sun Aug 30 21:47:07 UTC 2009

In message <4A99ABEB.7080202 at hauke-lampe.de>, Hauke Lampe writes:
> I am looking for way to disable DNSSEC lookaside validation for a given
> zone. Would this be possible with BIND already or do I need to file a
> feature request (and where)?
> My reason is that we use a zone "example.net" for internal hosts, served
> by an internal nameserver and configured as a "forward" zone on the
> resolvers.
> For any query to this zone, BIND tries to look up
> example.net.dlv.isc.org DLV records. If the external internet connection
> is down and the DLV record not cached, internal hostname resolution
> fails because BIND cannot prove the zone's insecure state.
> BIND has a configuration setting which does something similar:
> | dnssec-must-be-secure
> |     Specify hierarchies which must be or may not be secure (signed and
> |     validated). If yes, then named will only accept answers if they
> |     are secure. If no, then normal DNSSEC validation applies allowing
> |     for insecure answers to be accepted. The specified domain must be
> |     under a trusted-key or dnssec-lookaside must be active.
> I'd like to have a third option to disable normal DNSSEC validation for
> a known-insecure zone.
> On a related note, will the ISC's DLV zone be available for AXFR?
> It used to be but isn't anymore.
> Because of the importance of DLV for any name resolution (it effectively
> is a root zone), I would like to mirror the zone on my own servers and
> configure the resolvers to use them in a "forward first" configuration.
> Hauke.

Just sign your internal zone and add a trusted-keys clause for it
and you won't use DLV.  named only uses dlv if the zone is provably
insecure based on the trust-anchors configured.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list