DNSSEC

[Jan-Piet Mens]

> So how do we implement one?  Create a separate caching server with DNSSEC 
> validation turned off and forward all queries for the broken domain to it?

Unbound can be configured (on the fly) to ignore DNSSEC for individual
zones. From the unbound.conf(5) page:

  domain-insecure: <domain name>

        Sets  domain  name  to be insecure, DNSSEC chain of trust is
        ignored towards the domain name.  So a trust anchor above the
        domain name can not  make  the domain secure with a DS record,
        such a DS record is then ignored.  Also keys from DLV are
        ignored for the domain.  Can be given multiple times to specify
        multiple domains that are treated as if unsigned.  If you set
        trust anchors for the domain they override this setting (and the
        domain is secured).

I assume it would be possible to implement something along the lines of
`rndc insecure <domain>`, but I wouldn't know...

        -JP