disable dnssec for particular domain
Tony Finch
dot at dotat.at
Tue Feb 6 16:11:12 UTC 2018
Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>
> Is it currently possible to avoid validating this particular domain?
BIND 9.11 has support for negative trust anchors, but they are supposed to
be used as a temporary workaround to allow time for breakage to be fixed -
you'll probably find that the NTA support is a bit awkward for a permament
exclusion.
Since this is a multi-organization private zone, it would be easier to get
the DS record removed from the .eu parent so that you don't have to
implement a workaround. The other blessed option is to distribute a trust
anchor for the private zone, but that's even more faff than NTAs.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fitzroy: Northerly 4 or 5 at first in southeast, otherwise 6 to gale 8,
occasionally severe gale 9 in south, backing westerly or northwesterly 4 or 5
later in northwest. Moderate or rough at first in southeast, otherwise very
rough or high. Squally showers. Good, occasionally poor.
More information about the bind-users
mailing list