Disable DNSSEC Validation for selected Domains
Evan Hunt
each at isc.org
Wed Jan 14 08:13:00 UTC 2015
On Jan 13, 2015, at 2:35 AM, Stefan.Lasche at t-systems.com wrote:
> I'm just wondering, is an option like unbound's "domain-insecure"
> intentionally not implemented in in BIND? Or did just nobody care
> enough to implement it yet?
I have resisted implementing it because it's too easy for an operator to
forget they knocked a hole in their DNSSEC protections, and leave the hole
in place long after it stopped being useful.
The negative trust anchor implementation that will be released in 9.11
corrects for this with built-in term limits. NTAs are added via rndc,
and they expire and are removed after a relatively short lifespan, not
exceeding a week.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list