disable dnssec for particular domain

Tony Finch dot at dotat.at
Wed Feb 7 14:14:42 UTC 2018

Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
> I wonder why does it do that. I have configured a zone to be type
> forward and expected it to work as confdigured, not be validated
> upstream.

Validation is mostly independent of resolution, so even if you configure a
zone explicitly, the validator will still go chatting to its parent zones
in search of its delegation. (The exception is authoritative zones, which
are not validated.)

> Do people with private versions of domains have this problem too when
> using DNSSEC?

Yes :-) I'm relatively lucky that my predecessors set up private.cam.ac.uk
rather than a shadow cam.ac.uk which made it easier for them to roll out

> I have feeling that we need to reserve TLD for internal private domains
> that would be guaranteed not to use DNSSEC at all.

There's no need for that (and that would involve a lot of tricky
politics). Instead, either use a subdomain of an existing domain (like us)
or register a domain with an insecure delegation for internal use.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Lundy, Fastnet, Irish Sea: Variable 4, becoming southwest 5 or 6. Very rough
at first in southwest Fastnet, otherwise slight or moderate, occasionally
rough except in Irish Sea. Wintry showers, then occasional rain. Good,
occasionally poor.

More information about the bind-users mailing list