AW: Disable DNSSEC Validation for selected Domains
Stefan.Lasche at t-systems.com
Stefan.Lasche at t-systems.com
Wed Jan 14 09:34:35 UTC 2015
Hm... In our case a short lifespan won't be enough.
Our customer uses a fictional Toplevel Domain and migrating the whole Infrastructure to a new, proper Domain will take him months if not years.
They'll have to adjust every DNS Config of every Server, every Webservice they have running internally, all Documentations etc...
I wouldn't be surprised if they are not even aware of the problem, yet.
Regards,
Stefan
-----Ursprüngliche Nachricht-----
Von: Evan Hunt [mailto:each at isc.org]
Gesendet: Mittwoch, 14. Januar 2015 09:13
An: Lasche, Stefan
Cc: BIND Users
Betreff: Re: Disable DNSSEC Validation for selected Domains
On Jan 13, 2015, at 2:35 AM, Stefan.Lasche at t-systems.com wrote:
> I'm just wondering, is an option like unbound's "domain-insecure"
> intentionally not implemented in in BIND? Or did just nobody care
> enough to implement it yet?
I have resisted implementing it because it's too easy for an operator to forget they knocked a hole in their DNSSEC protections, and leave the hole in place long after it stopped being useful.
The negative trust anchor implementation that will be released in 9.11 corrects for this with built-in term limits. NTAs are added via rndc, and they expire and are removed after a relatively short lifespan, not exceeding a week.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list