AW: AW: Disable DNSSEC Validation for selected Domains
Stefan.Lasche at t-systems.com
Stefan.Lasche at t-systems.com
Thu Jan 15 17:48:40 UTC 2015
>
>If the zone isn't signed, it shouldn't be trying to validate it as there's nothing to validate. Unless this fictional TLD now has a real delegated counter-part?
>
>Stuart
Just for clarification:
If a TLD does not exist, it can neither be signed nor unsigned.
And, officially, the mentioned TLD does not exist. DNSSEC can prove that much (using NSEC records). DNSSEC won't successfully validate something that isn't even supposed to exist.
Adding a (non-authoritative) zone declaration to BIND does not change this. DNSSEC will still try to validate and fail.
But a "negative trust anchor" could change that and disable the validation for selected zones/domains on your BIND.
Regards,
Stefan
More information about the bind-users
mailing list