Exempt .local from dnssec validation on resolver?
Evan Hunt
each at isc.org
Thu Jul 25 21:10:04 UTC 2019
On Thu, Jul 25, 2019 at 09:03:26PM +0000, Evan Hunt wrote:
> In 9.11, no. In 9.14, you can use "validate-except { local; };"
(Afterthought: In 9.11, you can also use "rndc nta" to suppress validation
on a given domain, but negative trust anchors expire after a while, so you
have to keep doing it over and over. You could sign the ".local" zone and
distribute a trust anchor for it to all of your internal resolvers. So, I
shouldn't have said "no". But the simple fire-and-forget method that you
seemed to be looking for was not introduced until 9.14.)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list