Hi Stefen On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote: > Some of the internal Domains of our customers will fail the > proof-of-non-existence. While this is technically correct, we still > need access to their internal Domain to do our business... So the > current all-or-nothing approach of BIND prevents us from activating > DNSSEC all together (and will probably do so for years to come). > > I'm just wondering, is an option like unbound's "domain-insecure" > intentionally not implemented in in BIND? Or did just nobody care > enough to implement it yet?
BIND will get support for negative trust anchors in 9.11, which will provide the feature that you seek. An implementation is now in the master branch. https://tools.ietf.org/html/draft-livingood-negative-trust-anchors-07 In partnership with our subscription customers who support future feature development by helping to fund our engineering work, we currently have a subscription branch where features critical to their current needs are backported from master and are currently available for their use. We are trialling the negative trust anchors feature there now. If you absoutely need this now, please contact ISC about it. Another option is to run the master branch, but we don't recommend it as it is a development branch with several new features, some of which may be unstable or changing rapidly. Negative trust anchors will be released to the public in the 9.11 release. Mukund
pgpPLCLP3rGqn.pgp
Description: PGP signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
