Is there a way to disable dnssec validation for a single zone?

Mark Andrews marka at
Fri Aug 5 00:37:27 UTC 2011

In message <CA603693.38DA5%ron.dodson at>, "Dodson, Ron" writes:
> Hello,
> Is there a way to disable dnssec validation for a single zone?


> The people wh
> o run the dns for have broken dnssec. delegates ojp.
> and has a DS record for is unsigned, 
> and has no corresponding dnskey record, so validation fails.  Users here, who
> must reach various hosts cannot do so as the names a
> re unresolvable on our network.

Well call them up on the phone and complain that their DNS servers
are broken.  +1-202-514-2000 

It should take seconds to get the DS records removed.  They can then
re-do the secure delegation once the zone is signed.
> The last time there was a dns issue with, it took about 3 weeks for
> them to fix it.  I'd like to come up with a way to resolve nam
> es without disabling validation altogether until they fix their issues.  I've
> tried setting as a forward zone and forwarding to a non-valida
> ting resolver, but that doesn't seem to work.

If it takes 3 weeks to get things fixed then someone is plain incompetent.


> Ron Dodson
> Sr. Network Engineer
> ron.dodson at<mailto:ron.dodson at>
> 301-519-6502
> _______________________________________________
> Please visit to unsubscribe
>  from this list
> bind-users mailing list
> bind-users at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list