AW: Disable DNSSEC Validation for selected Domains
Stefan.Lasche at t-systems.com
Stefan.Lasche at t-systems.com
Wed Jan 14 09:46:55 UTC 2015
Hi Chris,
> While you wait for this to become generally available, you can do what I like to do for my customers: Use two layers of recursive DNS servers. The first layer takes queries from clients, knows about your insecure domains
> (through stub zones, slave zones, or conditional forwarding), and does not perform DNSSEC validation. The first layer globally forwards to the second layer, which does DNSSEC validation and recursion.
Funny thing is, that I have tried something similar already, placing a validating server in the first layer and forwarding problematic Domains to a non-validating server in the second layer. This didn't help.
Now that I read your message, I see that it should have been the other way around to make it work ;)
Regards,
Stefan
More information about the bind-users
mailing list