Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".

Jan-Piet Mens jpmens.dns at gmail.com
Thu Apr 26 18:51:10 UTC 2012


> Is there a way to exclude a domain from DNSSEC validation, like
> Unbound's "domain-insecure"?

That is regrettably not possible at the moment, at least not in BIND

The only (quite impracticable) workaround would be to define the zone
authoritatively yourself and populate it somehow... (I did say
impracticable, didn't I?)

> For example if a popular site ( say nasa.gov ) updates their keys
> incorrectly so that their domain fails validation, you contact their
> admins. and with a high level of confidence you determine this is a
> configuration mistake and  not a security breach, you can then
> exclude them from DNSSEC validation so your customers can access their
> site while they fix their error.

>From a Comcast talk at SATIN 2012 I believe they called that a "negative
trust anchor", and IIRC, the author wanted to publish a draft of its
operation. Haven't seen it yet though, and it's probably off topic as
regards BIND.


More information about the bind-users mailing list