Exclude a domain from DNSSEC validation, like Unbound's "domain-insecure".
Warren Kumari
warren at kumari.net
Thu Apr 26 20:06:26 UTC 2012
On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote:
> Augie,
>
>> Is there a way to exclude a domain from DNSSEC validation, like
>> Unbound's "domain-insecure"?
>
> That is regrettably not possible at the moment, at least not in BIND
> 9.9.0.
>
> The only (quite impracticable) workaround would be to define the zone
> authoritatively yourself and populate it somehow... (I did say
> impracticable, didn't I?)
>
>> For example if a popular site ( say nasa.gov ) updates their keys
>> incorrectly so that their domain fails validation, you contact their
>> admins. and with a high level of confidence you determine this is a
>> configuration mistake and not a security breach, you can then
>> exclude them from DNSSEC validation so your customers can access their
>> site while they fix their error.
>
> From a Comcast talk at SATIN 2012 I believe they called that a "negative
> trust anchor", and IIRC, the author wanted to publish a draft of its
> operation. Haven't seen it yet though, and it's probably off topic as
> regards BIND.
http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
Being actively discussed on DNSOP list…
W
>
> -JP
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list