Is there a way to disable dnssec validation for a single zone?
Michael Graff
mgraff at isc.org
Fri Aug 5 12:38:26 UTC 2011
While calling them sounds fun, I wonder if we need a Soft Failure mode sooner rather than later during dnssec deployment.
Or a way to have bind 9 report broken dnssec to a central site where we or a group of ISC-blessed volunteers call them after X reports of brokenness.
--Michael (from an iPhone)
On Aug 4, 2011, at 19:37, Mark Andrews <marka at isc.org> wrote:
>
> In message <CA603693.38DA5%ron.dodson at lmco.com>, "Dodson, Ron" writes:
>> Hello,
>>
>> Is there a way to disable dnssec validation for a single zone?
>
> No.
>
>> The people wh
>> o run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.
>> usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned,
>> and has no corresponding dnskey record, so validation fails. Users here, who
>> must reach various something.ojp.usdoj.gov hosts cannot do so as the names a
>> re unresolvable on our network.
>
> Well call them up on the phone and complain that their DNS servers
> are broken. +1-202-514-2000
>
> It should take seconds to get the DS records removed. They can then
> re-do the secure delegation once the zone is signed.
>
>> The last time there was a dns issue with usdoj.gov, it took about 3 weeks for
>> them to fix it. I'd like to come up with a way to resolve ojp.usdoj.gov nam
>> es without disabling validation altogether until they fix their issues. I've
>> tried setting ojp.usdoj.gov as a forward zone and forwarding to a non-valida
>> ting resolver, but that doesn't seem to work.
>
> If it takes 3 weeks to get things fixed then someone is plain incompetent.
>
> Mark
>
>> Ron Dodson
>> Sr. Network Engineer
>> ron.dodson at lmco.com<mailto:ron.dodson at lmco.com>
>> 301-519-6502
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list