Disable DNSSEC Validation for selected Domains
/dev/rob0
rob0 at gmx.co.uk
Sat Jan 17 18:56:54 UTC 2015
> -----Ursprüngliche Nachricht-----
> Von: Evan Hunt [mailto:each at isc.org]
>
> On Jan 13, 2015, at 2:35 AM, Stefan.Lasche at t-systems.com wrote:
> > I'm just wondering, is an option like unbound's "domain-insecure"
> > intentionally not implemented in in BIND? Or did just nobody care
> > enough to implement it yet?
>
> I have resisted implementing it because it's too easy for an
> operator to forget they knocked a hole in their DNSSEC protections,
> and leave the hole in place long after it stopped being useful.
>
> The negative trust anchor implementation that will be released in
> 9.11 corrects for this with built-in term limits. NTAs are added
> via rndc, and they expire and are removed after a relatively short
> lifespan, not exceeding a week.
On Wed, Jan 14, 2015 at 10:34:35AM +0100, Stefan.Lasche at t-systems.com
wrote:
> Hm... In our case a short lifespan won't be enough.
I hate to point this out, but a simple workaround to make NTAs
permanent is to have a cron job which runs your "rndc nta" command
as often as needed.
May Evan and the gods of DNSSEC have mercy on my soul! :(
> Our customer uses a fictional Toplevel Domain and migrating the
> whole Infrastructure to a new, proper Domain will take him months
> if not years. They'll have to adjust every DNS Config of every
> Server, every Webservice they have running internally, all
> Documentations etc... I wouldn't be surprised if they are not even
> aware of the problem, yet.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list