disable dnssec for particular domain

Reindl Harald h.reindl at thelounge.net
Wed Feb 7 11:12:02 UTC 2018

Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:
>> On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
>>> what's the difference, when the domain doesn't exist?
>>> is it because .eu is signed?
> On 06.02.18 16:35, Ray Bellis wrote:
>> Perhaps, although I'm not sure why given that .eu is signed with NSEC3
>> and opt-out.
>> Are you *sure* that the domain doesn't now actually exist in the DNS?
> yes. even web whois shows no 'nameserver' information.
> the name is "testa.eu".
> I'm not good at dnssec to find out more

probably it's just a stupid idea to have no namservers instead some 
fake-nameserver without DS records when you override the domain locally 

my "rhsoft.net" domain on local networks also has nothing in common with 
the public nameservers


	Found 3 DNSKEY records for .
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	DS=19036/SHA-256 verifies DNSKEY=19036/SEP
	Found 1 RRSIGs over DNSKEY RRset
	RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
	Found 1 DS records for eu in the . zone
	DS=59479/SHA-256 has algorithm RSASHA256
	Found 1 RRSIGs over DS RRset
	RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
	Found 2 DNSKEY records for eu
	DS=59479/SHA-256 verifies DNSKEY=59479/SEP
	Found 2 RRSIGs over DNSKEY RRset
	RRSIG=43743 and DNSKEY=43743 verifies the DNSKEY RRset
	Zone eu (2600:2000:3004::1) returns NXDOMAIN for testa.eu

More information about the bind-users mailing list