Is there a way to disable dnssec validation for a single zone?
Mark Andrews
marka at isc.org
Fri Aug 5 00:37:27 UTC 2011
In message <CA603693.38DA5%ron.dodson at lmco.com>, "Dodson, Ron" writes:
> Hello,
>
> Is there a way to disable dnssec validation for a single zone?
No.
> The people wh
> o run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.
> usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned,
> and has no corresponding dnskey record, so validation fails. Users here, who
> must reach various something.ojp.usdoj.gov hosts cannot do so as the names a
> re unresolvable on our network.
Well call them up on the phone and complain that their DNS servers
are broken. +1-202-514-2000
It should take seconds to get the DS records removed. They can then
re-do the secure delegation once the zone is signed.
> The last time there was a dns issue with usdoj.gov, it took about 3 weeks for
> them to fix it. I'd like to come up with a way to resolve ojp.usdoj.gov nam
> es without disabling validation altogether until they fix their issues. I've
> tried setting ojp.usdoj.gov as a forward zone and forwarding to a non-valida
> ting resolver, but that doesn't seem to work.
If it takes 3 weeks to get things fixed then someone is plain incompetent.
Mark
> Ron Dodson
> Sr. Network Engineer
> ron.dodson at lmco.com<mailto:ron.dodson at lmco.com>
> 301-519-6502
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list