Is there a way to disable dnssec validation for a single zone?

Michael Graff mgraff at isc.org
Fri Aug 5 12:38:26 UTC 2011


While calling them sounds fun, I wonder if we need a Soft Failure mode sooner rather than later during dnssec deployment. 

Or a way to have bind 9 report broken dnssec to a central site where we or a group of ISC-blessed volunteers call them after X reports of brokenness. 

--Michael (from an iPhone)


On Aug 4, 2011, at 19:37, Mark Andrews <marka at isc.org> wrote:

> 
> In message <CA603693.38DA5%ron.dodson at lmco.com>, "Dodson, Ron" writes:
>> Hello,
>> 
>> Is there a way to disable dnssec validation for a single zone?
> 
> No.
> 
>> The people wh
>> o run the dns for ojp.usdoj.gov have broken dnssec.  Usdoj.gov delegates ojp.
>> usdoj.gov and has a DS record for ojp.usdoj.gov.  Ojp.usdoj.gov is unsigned, 
>> and has no corresponding dnskey record, so validation fails.  Users here, who
>> must reach various something.ojp.usdoj.gov hosts cannot do so as the names a
>> re unresolvable on our network.
> 
> Well call them up on the phone and complain that their DNS servers
> are broken.  +1-202-514-2000 
> 
> It should take seconds to get the DS records removed.  They can then
> re-do the secure delegation once the zone is signed.
> 
>> The last time there was a dns issue with usdoj.gov, it took about 3 weeks for
>> them to fix it.  I'd like to come up with a way to resolve ojp.usdoj.gov nam
>> es without disabling validation altogether until they fix their issues.  I've
>> tried setting ojp.usdoj.gov as a forward zone and forwarding to a non-valida
>> ting resolver, but that doesn't seem to work.
> 
> If it takes 3 weeks to get things fixed then someone is plain incompetent.
> 
> Mark
> 
>> Ron Dodson
>> Sr. Network Engineer
>> ron.dodson at lmco.com<mailto:ron.dodson at lmco.com>
>> 301-519-6502
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list