Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".
Fr34k
freaknetboy at yahoo.com
Thu Apr 26 19:28:00 UTC 2012
Great question (Augie) and great feedback (JP).
As DNSSEC is adopted, some type of mitigation process will be welcomed.
For that reason, I think this is on topic.
>________________________________
> From: Jan-Piet Mens <jpmens.dns at gmail.com>
>To: bind-users at lists.isc.org
>Sent: Thursday, April 26, 2012 2:51 PM
>Subject: Re: Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".
>
>Augie,
>
>> Is there a way to exclude a domain from DNSSEC validation, like
>> Unbound's "domain-insecure"?
>
>That is regrettably not possible at the moment, at least not in BIND
>9.9.0.
>
>The only (quite impracticable) workaround would be to define the zone
>authoritatively yourself and populate it somehow... (I did say
>impracticable, didn't I?)
>
>> For example if a popular site ( say nasa.gov ) updates their keys
>> incorrectly so that their domain fails validation, you contact their
>> admins. and with a high level of confidence you determine this is a
>> configuration mistake and not a security breach, you can then
>> exclude them from DNSSEC validation so your customers can access their
>> site while they fix their error.
>
>From a Comcast talk at SATIN 2012 I believe they called that a "negative
>trust anchor", and IIRC, the author wanted to publish a draft of its
>operation. Haven't seen it yet though, and it's probably off topic as
>regards BIND.
>
> -JP
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>bind-users mailing list
>bind-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120426/db87370f/attachment.html>
More information about the bind-users
mailing list