disable dnssec for particular domain
Tony Finch
dot at dotat.at
Wed Feb 7 14:14:42 UTC 2018
Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>
> I wonder why does it do that. I have configured a zone to be type
> forward and expected it to work as confdigured, not be validated
> upstream.
Validation is mostly independent of resolution, so even if you configure a
zone explicitly, the validator will still go chatting to its parent zones
in search of its delegation. (The exception is authoritative zones, which
are not validated.)
> Do people with private versions of domains have this problem too when
> using DNSSEC?
Yes :-) I'm relatively lucky that my predecessors set up private.cam.ac.uk
rather than a shadow cam.ac.uk which made it easier for them to roll out
DNSSEC.
> I have feeling that we need to reserve TLD for internal private domains
> that would be guaranteed not to use DNSSEC at all.
There's no need for that (and that would involve a lot of tricky
politics). Instead, either use a subdomain of an existing domain (like us)
or register a domain with an insecure delegation for internal use.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Lundy, Fastnet, Irish Sea: Variable 4, becoming southwest 5 or 6. Very rough
at first in southwest Fastnet, otherwise slight or moderate, occasionally
rough except in Irish Sea. Wintry showers, then occasional rain. Good,
occasionally poor.
More information about the bind-users
mailing list