disable dnssec for particular domain

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Feb 7 13:53:57 UTC 2018 

On 07.02.18 12:26, Tony Finch wrote:
>Aha! I think what's happening here is that BIND is expecting a NODATA
>response, to indicate that there is a delegation without a DS record.
>(For an example, `dig +dnssec +multiline europa.eu ds)

>However the validator gets an NXDOMAIN response claiming the domain
>doesn't exist at all. But this is an opt-out NXDOMAIN so it is not a
>proof. Nevertheless the validator believes it, and is convinced that it
>has not proved the NODATA that it was expecting to prove, so it tells
>itself it has not found an insecure delegation.

I wonder why does it do that. 

I have configured a zone to be type forward and expected it to work as
confdigured, not be validated upstream.

(type forward - the fun continues, we don't have access to the origin
nameservers, however tried static-stub with the same result)

>This is a tricky case. You can argue convincingly either way whether it is
>a bug or not, I think. Even if it is a bug, fixing it is not going to
>solve your problem any time soon - you need a pragmatic operational
>solution.

I can only guess that this is a part of dnssec functionality - validate
everything even for domains configured locally.

Do people with private versions of domains have this problem too when
using DNSSEC?

I have feeling that we need to reserve TLD for internal private domains
that would be guaranteed not to use DNSSEC at all.

(I have thought of reserving private TLD already before, anyonw wants to
write a RFC?)

>What you should do is add some nameservers to the registration (serving an
>empty zone or something), so that the .eu nameservers return a NODATA
>response instead of an NXDOMAIN response. Then your private zone will
>work.

that would apparently take ages, neither we nor our customer have contact to
the registrator.

I currently see the only option to disable dnssec on the server, or upgrade
to 9.11 ...

but I'll upgrade the server to debian 8 (bind9.9.5) first.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.

More information about the bind-users mailing list