I am looking for way to disable DNSSEC lookaside validation for a given zone. Would this be possible with BIND already or do I need to file a feature request (and where)?
My reason is that we use a zone "example.net" for internal hosts, served by an internal nameserver and configured as a "forward" zone on the resolvers. For any query to this zone, BIND tries to look up example.net.dlv.isc.org DLV records. If the external internet connection is down and the DLV record not cached, internal hostname resolution fails because BIND cannot prove the zone's insecure state. BIND has a configuration setting which does something similar: | dnssec-must-be-secure | Specify hierarchies which must be or may not be secure (signed and | validated). If yes, then named will only accept answers if they | are secure. If no, then normal DNSSEC validation applies allowing | for insecure answers to be accepted. The specified domain must be | under a trusted-key or dnssec-lookaside must be active. I'd like to have a third option to disable normal DNSSEC validation for a known-insecure zone. On a related note, will the ISC's DLV zone be available for AXFR? It used to be but isn't anymore. Because of the importance of DLV for any name resolution (it effectively is a root zone), I would like to mirror the zone on my own servers and configure the resolvers to use them in a "forward first" configuration. Hauke.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
