Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".
jpmens.dns at gmail.com
Thu Apr 26 18:51:10 UTC 2012
> Is there a way to exclude a domain from DNSSEC validation, like
> Unbound's "domain-insecure"?
That is regrettably not possible at the moment, at least not in BIND
The only (quite impracticable) workaround would be to define the zone
authoritatively yourself and populate it somehow... (I did say
impracticable, didn't I?)
> For example if a popular site ( say nasa.gov ) updates their keys
> incorrectly so that their domain fails validation, you contact their
> admins. and with a high level of confidence you determine this is a
> configuration mistake and not a security breach, you can then
> exclude them from DNSSEC validation so your customers can access their
> site while they fix their error.
>From a Comcast talk at SATIN 2012 I believe they called that a "negative
trust anchor", and IIRC, the author wanted to publish a draft of its
operation. Haven't seen it yet though, and it's probably off topic as
More information about the bind-users