Disable DNSSEC Validation for selected Domains
Stefan.Lasche at t-systems.com
Stefan.Lasche at t-systems.com
Tue Jan 13 10:35:26 UTC 2015
Hi @all,
I know that BIND has no feature to disable DNSSEC validation for selected Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean on/off).
I found that Microsoft's DNS Server has a feature to skip the validation for some Domains. They call it NRPT (Name Resolution Policy Table).
Unbound also has such a similar Feature (domain-insecure).
Some of the internal Domains of our customers will fail the proof-of-non-existence. While this is technically correct, we still need access to their internal Domain to do our business...
So the current all-or-nothing approach of BIND prevents us from activating DNSSEC all together (and will probably do so for years to come).
I'm just wondering, is an option like unbound's "domain-insecure" intentionally not implemented in in BIND? Or did just nobody care enough to implement it yet?
Regards,
Stefan
More information about the bind-users
mailing list