disable dnssec for particular domain

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Feb 7 17:38:46 UTC 2018

>Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>> I wonder why does it do that. I have configured a zone to be type
>> forward and expected it to work as confdigured, not be validated
>> upstream.

On 07.02.18 14:14, Tony Finch wrote:
>Validation is mostly independent of resolution, so even if you configure a
>zone explicitly, the validator will still go chatting to its parent zones
>in search of its delegation. (The exception is authoritative zones, which
>are not validated.)

so I need 9.11 ot turn validation off... great :-)
(np, it was off on other server, I just set up a new one)

>> Do people with private versions of domains have this problem too when
>> using DNSSEC?
>Yes :-) I'm relatively lucky that my predecessors set up private.cam.ac.uk
>rather than a shadow cam.ac.uk which made it easier for them to roll out
>> I have feeling that we need to reserve TLD for internal private domains
>> that would be guaranteed not to use DNSSEC at all.
>There's no need for that (and that would involve a lot of tricky

other than reserving TLD, not signing it and recommending people to use its

> Instead, either use a subdomain of an existing domain (like us)
>or register a domain with an insecure delegation for internal use.

neither is possible for now. as I said, neither our customer not itsupstream
does maintain the domain.

Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

More information about the bind-users mailing list