Is there a way to disable dnssec validation for a single zone?
Chris Thompson
cet1 at cam.ac.uk
Fri Aug 5 15:04:50 UTC 2011
On Aug 5 2011, Mark Andrews wrote:
>
>In message <CA603693.38DA5%ron.dodson at lmco.com>, "Dodson, Ron" writes:
>> Hello,
>>
>> Is there a way to disable dnssec validation for a single zone?
>
>No.
Without wanting to argue about whether it would be appropriate to use
such a mechanism (if it existed) in this particular case, this question
does seem to crop up from time to time, usually in conjunction with "but
unbind has such a facility". E.g. it came up on the dnssec-deployment
mailing list recently in connection with 239.in-addr.arpa being signed
and empty, and thus more or less forcing any local reverse zone for
part of 239/8 to be signed and have a local trust anchor as well.
Maybe I am missing something, but it wouldn't seem to be too technically
difficult to have an "anti-trust anchor" declaring that a particular zone
is to be considered provably insecure. Is it then, a political matter,
reflecting a belief that (a) it would be misused and/or (b) even local
zones should be signed anyway?
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list