DNSSEC
Jan-Piet Mens
jpmens.dns at gmail.com
Fri May 11 14:25:35 UTC 2012
> So how do we implement one? Create a separate caching server with DNSSEC
> validation turned off and forward all queries for the broken domain to it?
Unbound can be configured (on the fly) to ignore DNSSEC for individual
zones. From the unbound.conf(5) page:
domain-insecure: <domain name>
Sets domain name to be insecure, DNSSEC chain of trust is
ignored towards the domain name. So a trust anchor above the
domain name can not make the domain secure with a DS record,
such a DS record is then ignored. Also keys from DLV are
ignored for the domain. Can be given multiple times to specify
multiple domains that are treated as if unsigned. If you set
trust anchors for the domain they override this setting (and the
domain is secured).
I assume it would be possible to implement something along the lines of
`rndc insecure <domain>`, but I wouldn't know...
-JP
More information about the bind-users
mailing list