disable dnssec for particular domain

Tony Finch dot at dotat.at
Thu Feb 8 12:01:24 UTC 2018

Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
> and in case of private/internal domain even logical - it's not useful to
> push DS records to parent, and even possible with 2 versions of the same
> zone.

You can have a secure delegation in the parent if you sign both versions
of the zone with the same KSK. (There are lots of reasons that it might be
difficult to do this in practice, though.)

> On 08.02.18 19:12, Mark Andrews wrote:
> > The point on OPTOUT is to allow the parent zone to add and remove
> > insecure delegations without resigning.
> shouldn't that cause validation to stop?

Well, that's what I expected :-) this is why I said it's arguable which is
the right behaviour - it depends on your view of what opt-out does. Does
it avoid re-signing work in zones with lots of insecure delegations (the
authoritative point of view), or does it stop validation (the recursive
point of view)? Mark's point is that the auth PoV is the original
motivating purpose of opt-out.

But really this question is beside the point. We'll have a lot less fun
exploring these corner cases in the protocol if people stop trying to play
silly buggers with the DNS namespace and delegate things properly.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Irish Sea: Southwest 5 to 7 veering northwest 6 to gale 8, perhaps severe gale
9 later. Slight or moderate, becoming moderate or rough. Rain then wintry
showers. Good, occasionally poor.

More information about the bind-users mailing list