Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
For example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you determine this is a
Augie,
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's domain-insecure?
That is regrettably not possible at the moment, at least not in BIND
9.9.0.
The only (quite impracticable) workaround would be to define the zone
authoritatively yourself and populate it
Great question (Augie) and great feedback (JP).
As DNSSEC is adopted, some type of mitigation process will be welcomed.
For that reason, I think this is on topic.
From: Jan-Piet Mens jpmens@gmail.com
To: bind-users@lists.isc.org
Sent: Thursday, April
3 matches
Mail list logo
