On Apr 26, 2012, at 2:51 PM, Jan-Piet Mens wrote: > Augie, > >> Is there a way to exclude a domain from DNSSEC validation, like >> Unbound's "domain-insecure"? > > That is regrettably not possible at the moment, at least not in BIND > 9.9.0. > > The only (quite impracticable) workaround would be to define the zone > authoritatively yourself and populate it somehow... (I did say > impracticable, didn't I?) > >> For example if a popular site ( say nasa.gov ) updates their keys >> incorrectly so that their domain fails validation, you contact their >> admins. and with a high level of confidence you determine this is a >> configuration mistake and not a security breach, you can then >> exclude them from DNSSEC validation so your customers can access their >> site while they fix their error. > > From a Comcast talk at SATIN 2012 I believe they called that a "negative > trust anchor", and IIRC, the author wanted to publish a draft of its > operation. Haven't seen it yet though, and it's probably off topic as > regards BIND.
http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01 Being actively discussed on DNSOP list… W > > -JP > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users