> >If the zone isn't signed, it shouldn't be trying to validate it as there's >nothing to validate. Unless this fictional TLD now has a real delegated >counter-part? > >Stuart
Just for clarification: If a TLD does not exist, it can neither be signed nor unsigned. And, officially, the mentioned TLD does not exist. DNSSEC can prove that much (using NSEC records). DNSSEC won't successfully validate something that isn't even supposed to exist. Adding a (non-authoritative) zone declaration to BIND does not change this. DNSSEC will still try to validate and fail. But a "negative trust anchor" could change that and disable the validation for selected zones/domains on your BIND. Regards, Stefan _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
