Disable DNSSEC Validation for selected Domains

/dev/rob0 rob0 at gmx.co.uk
Sat Jan 17 18:56:54 UTC 2015


> -----Ursprüngliche Nachricht-----
> Von: Evan Hunt [mailto:each at isc.org] 
> 
> On Jan 13, 2015, at 2:35 AM, Stefan.Lasche at t-systems.com wrote:
> > I'm just wondering, is an option like unbound's "domain-insecure"
> > intentionally not implemented in in BIND? Or did just nobody care 
> > enough to implement it yet?
> 
> I have resisted implementing it because it's too easy for an 
> operator to forget they knocked a hole in their DNSSEC protections, 
> and leave the hole in place long after it stopped being useful.
> 
> The negative trust anchor implementation that will be released in 
> 9.11 corrects for this with built-in term limits.  NTAs are added 
> via rndc, and they expire and are removed after a relatively short 
> lifespan, not exceeding a week.

On Wed, Jan 14, 2015 at 10:34:35AM +0100, Stefan.Lasche at t-systems.com 
wrote:
> Hm... In our case a short lifespan won't  be enough.

I hate to point this out, but a simple workaround to make NTAs 
permanent is to have a cron job which runs your "rndc nta" command 
as often as needed.

May Evan and the gods of DNSSEC have mercy on my soul! :(

> Our customer uses a fictional Toplevel Domain and migrating the 
> whole Infrastructure to a new, proper Domain will take him months 
> if not years. They'll have to adjust every DNS Config of every 
> Server, every Webservice they have running internally, all 
> Documentations etc...  I wouldn't be surprised if they are not even 
> aware of the problem, yet.



-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:


More information about the bind-users mailing list