disable dnssec for particular domain

Reindl Harald h.reindl at thelounge.net
Tue Feb 6 16:05:39 UTC 2018

Am 06.02.2018 um 17:00 schrieb Matus UHLAR - fantomas:
> our customer uses a domain that is registered, but hidden
> (doesn't exist in DNS).
> The domain is used by multiple organizations and we are required to forward
> lookups for the domain to foreign internal servers.
> The problem is, that parent domain (.eu) indicates that the domain is to be
> signed and since default bind installation validates DNSSEC, lookups are
> refused:

why does the parent domain indicate that?
DNSSEC is per domain and not per TLD

> Feb  6 15:49:36 mon named[30183]: validating @0xf4806910: testa.eu MX: 
> got insecure response; parent indicates it should be secure
> Is it currently possible to avoid validating this particular domain?
> can I do anything other on my side than disabling DNSSEC validation at all?
> I have bind9.8, going to upgrade to 9.9.5
> (could probably go to 9.11 if needed)

More information about the bind-users mailing list