Disable DNSSEC Validation for selected Domains

Mukund Sivaraman muks at isc.org
Tue Jan 13 12:03:07 UTC 2015

Hi Stefen

On Tue, Jan 13, 2015 at 11:35:26AM +0100, Stefan.Lasche at t-systems.com wrote:
> Some of the internal Domains of our customers will fail the
> proof-of-non-existence. While this is technically correct, we still
> need access to their internal Domain to do our business...  So the
> current all-or-nothing approach of BIND prevents us from activating
> DNSSEC all together (and will probably do so for years to come).
> I'm just wondering, is an option like unbound's "domain-insecure"
> intentionally not implemented in in BIND? Or did just nobody care
> enough to implement it yet?

BIND will get support for negative trust anchors in 9.11, which will
provide the feature that you seek. An implementation is now in the
master branch.


In partnership with our subscription customers who support future
feature development by helping to fund our engineering work, we
currently have a subscription branch where features critical to their
current needs are backported from master and are currently available for
their use. We are trialling the negative trust anchors feature there
now. If you absoutely need this now, please contact ISC about it.

Another option is to run the master branch, but we don't recommend it as
it is a development branch with several new features, some of which may
be unstable or changing rapidly. Negative trust anchors will be released
to the public in the 9.11 release.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150113/e2687859/attachment.bin>

More information about the bind-users mailing list