Is there a way to disable dnssec validation for a single zone?
marc.lampo at eurid.eu
Fri Aug 5 06:02:58 UTC 2011
As a *temporary* solution, you could configure you validating caching name
server as authoritative for that name.
The authoritative part/answer is taken before the cache, regardless of DS
records in the parent indicating that RRSIG's should be present.
One point of attention : don't have validating forwarders forward to such
a caching name server - for a validating forwarder both the DS and the
"fake" authoritative answer end up in its cache !
(if you use validating forwarders, you would have to make each forwarder
authoritative for that something... )
Only a *temporary* solution, until the remote side DNS administrators get
their thing fixed !!!
From: Dodson, Ron [mailto:ron.dodson at lmco.com]
Sent: 04 August 2011 05:47 PM
To: bind-users at lists.isc.org
Subject: Is there a way to disable dnssec validation for a single zone?
Is there a way to disable dnssec validation for a single zone? The people
who run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates
ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is
unsigned, and has no corresponding dnskey record, so validation fails.
Users here, who must reach various something.ojp.usdoj.gov hosts cannot do
so as the names are unresolvable on our network.
The last time there was a dns issue with usdoj.gov, it took about 3 weeks
for them to fix it. I'd like to come up with a way to resolve
ojp.usdoj.gov names without disabling validation altogether until they fix
their issues. I've tried setting ojp.usdoj.gov as a forward zone and
forwarding to a non-validating resolver, but that doesn't seem to work.
Sr. Network Engineer
ron.dodson at lmco.com<mailto:ron.dodson at lmco.com>
More information about the bind-users