Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".

Chris Thompson cet1 at cam.ac.uk
Mon Apr 30 11:56:24 UTC 2012

On Apr 30 2012, Warren Kumari wrote:

>On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote:
>> From a Comcast talk at SATIN 2012 I believe they called that a "negative
>> trust anchor", and IIRC, the author wanted to publish a draft of its
>> operation. Haven't seen it yet though, and it's probably off topic as
>> regards BIND.
>Being actively discussed on DNSOP list	

It *was* being actively discussed there, up until about 10 days ago. Since
then the participants seem to have stopped, maybe from sheer exhaustion, as
it was pretty clear that there were irreconcilable opinions on the subject.

It may be worth noting in the bind-users context that ISC's [quick check -
what is he these days - ah yes...] Chairman & Chief Scientist expressed
fairly, well, negative opinions about negative trust anchors, which maybe
does not bode well for them ever appearing in BIND.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list