Slightly Off-Topic: Dealing with DNSSEC Bogus Data

Jorge Fábregas jorge.fabregas at
Sun Jun 8 17:00:46 UTC 2014

Hi everyone,

I'm about to start DNSSEC validation on my resolvers (BIND 9.8) but
wanted to know beforehand if there was a way to disable DNSSEC
validation for particular domains.  I searched the archives and found
the answer to be "no" (at present time).

This change is going to impact thousands of users for us and I'm a bit
worried about it.   How do you deal with DNSSEC bogus data?  I know that
one should inform the corresponding party (SOA email record perhaps?)
and be a good netizen but, what if these efforts fail?  Do you
temporarily become "authoritative" for that zone? or do you tell your
users: "sorry, it's not on us; it's their fault"?

Thanks in advance.


p.d. I know there are DNSSEC mailing lists out there but wanted to know
about BIND admins (where you currently don't have the option to disable
validation for given domains).

More information about the bind-users mailing list