DNSSEC basic information
Anne Bennett
anne at encs.concordia.ca
Tue Sep 24 17:45:46 UTC 2019
Evan Hunt answers Jukka Pakkanen:
> In newer releases there's also a configuration option, "validate-except",
> which permanently disables validation below specified domains. This can
> be used, for example, if you have an internal network using a fake TLD
> and you want to prevent it from showing up as bogus.
... and in a separate message, John W. Blue wrote:
> 1. DNSSEC was designed for external zones
I have a case where I recently had to use "validate-except" because of
a domain (not mine) whose external view is signed but not the internal
view; my resolver gets the internal view for that zone.
Can someone enlighten me as to why "DNSSEC was designed for external
zones", and under what circumstances it makes sense to *not* sign an
internal view? It seems to me that it would be most consistent to
sign both external and internal views.
Anne.
--
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca +1 514 848-2424 x2285
More information about the bind-users
mailing list