Disable DNSSEC Validation for selected Domains

[Chris Buxton]

On Jan 13, 2015, at 2:35 AM, Stefan.Lasche at t-systems.com wrote:

> I know that BIND has no feature to disable DNSSEC validation for selected Zones/Domains (when working as a recursor).
> One can only enable/disable DNSSEC validation globally per view (as a boolean on/off).

[...]

> I'm just wondering, is an option like unbound's "domain-insecure" intentionally not implemented in in BIND? Or did just nobody care enough to implement it yet?

While you wait for this to become generally available, you can do what I like to do for my customers: Use two layers of recursive DNS servers. The first layer takes queries from clients, knows about your insecure domains (through stub zones, slave zones, or conditional forwarding), and does not perform DNSSEC validation. The first layer globally forwards to the second layer, which does DNSSEC validation and recursion. This second layer can also have a few other features:

- Placed in the DMZ, outside the internal firewall
- No access to internal namespace, internal devices, etc.
- RPZ filtering, if you're going to use this

You can also achieve much of this within a single named instance using two views, with forwarding from one view to the other.

Chris