Is there a way to disable dnssec validation for a single zone?
ron.dodson at lmco.com
Thu Aug 4 15:47:07 UTC 2011
Is there a way to disable dnssec validation for a single zone? The people who run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned, and has no corresponding dnskey record, so validation fails. Users here, who must reach various something.ojp.usdoj.gov hosts cannot do so as the names are unresolvable on our network.
The last time there was a dns issue with usdoj.gov, it took about 3 weeks for them to fix it. I'd like to come up with a way to resolve ojp.usdoj.gov names without disabling validation altogether until they fix their issues. I've tried setting ojp.usdoj.gov as a forward zone and forwarding to a non-validating resolver, but that doesn't seem to work.
Sr. Network Engineer
ron.dodson at lmco.com<mailto:ron.dodson at lmco.com>
More information about the bind-users