Slightly Off-Topic: Dealing with DNSSEC Bogus Data

Evan Hunt each at
Sun Jun 8 17:59:44 UTC 2014

> I'm about to start DNSSEC validation on my resolvers (BIND 9.8) but
> wanted to know beforehand if there was a way to disable DNSSEC
> validation for particular domains.  I searched the archives and found
> the answer to be "no" (at present time).

The answer is still no.  We do have "negative trust anchors" on the
roadmap for 9.11, but that's not scheduled for release until 2015.
(I might make it available as an unsupported patch before then
if there's demand for it, but not as an official published release.)

It'll be implemented as an rndc command that temporarily suppresses
DNSSEC validation below a specified name, for a configurable period of
time defaulting to one hour and not exceeding one day.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list