Disabling DNSSEC validation per zone?
Mark Andrews
marka at isc.org
Sun Aug 30 21:47:07 UTC 2009
In message <4A99ABEB.7080202 at hauke-lampe.de>, Hauke Lampe writes:
> I am looking for way to disable DNSSEC lookaside validation for a given
> zone. Would this be possible with BIND already or do I need to file a
> feature request (and where)?
>
> My reason is that we use a zone "example.net" for internal hosts, served
> by an internal nameserver and configured as a "forward" zone on the
> resolvers.
>
> For any query to this zone, BIND tries to look up
> example.net.dlv.isc.org DLV records. If the external internet connection
> is down and the DLV record not cached, internal hostname resolution
> fails because BIND cannot prove the zone's insecure state.
>
> BIND has a configuration setting which does something similar:
>
> | dnssec-must-be-secure
> | Specify hierarchies which must be or may not be secure (signed and
> | validated). If yes, then named will only accept answers if they
> | are secure. If no, then normal DNSSEC validation applies allowing
> | for insecure answers to be accepted. The specified domain must be
> | under a trusted-key or dnssec-lookaside must be active.
>
> I'd like to have a third option to disable normal DNSSEC validation for
> a known-insecure zone.
>
>
> On a related note, will the ISC's DLV zone be available for AXFR?
> It used to be but isn't anymore.
>
> Because of the importance of DLV for any name resolution (it effectively
> is a root zone), I would like to mirror the zone on my own servers and
> configure the resolvers to use them in a "forward first" configuration.
>
>
>
> Hauke.
Just sign your internal zone and add a trusted-keys clause for it
and you won't use DLV. named only uses dlv if the zone is provably
insecure based on the trust-anchors configured.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list