Is there a way to disable dnssec validation for a single zone?
Dodson, Ron
ron.dodson at lmco.com
Thu Aug 4 15:47:07 UTC 2011
Hello,
Is there a way to disable dnssec validation for a single zone? The people who run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned, and has no corresponding dnskey record, so validation fails. Users here, who must reach various something.ojp.usdoj.gov hosts cannot do so as the names are unresolvable on our network.
The last time there was a dns issue with usdoj.gov, it took about 3 weeks for them to fix it. I'd like to come up with a way to resolve ojp.usdoj.gov names without disabling validation altogether until they fix their issues. I've tried setting ojp.usdoj.gov as a forward zone and forwarding to a non-validating resolver, but that doesn't seem to work.
Ron Dodson
Sr. Network Engineer
ron.dodson at lmco.com<mailto:ron.dodson at lmco.com>
301-519-6502
More information about the bind-users
mailing list