In message <4a99abeb.7080...@hauke-lampe.de>, Hauke Lampe writes: > I am looking for way to disable DNSSEC lookaside validation for a given > zone. Would this be possible with BIND already or do I need to file a > feature request (and where)? > > My reason is that we use a zone "example.net" for internal hosts, served > by an internal nameserver and configured as a "forward" zone on the > resolvers. > > For any query to this zone, BIND tries to look up > example.net.dlv.isc.org DLV records. If the external internet connection > is down and the DLV record not cached, internal hostname resolution > fails because BIND cannot prove the zone's insecure state. > > BIND has a configuration setting which does something similar: > > | dnssec-must-be-secure > | Specify hierarchies which must be or may not be secure (signed and > | validated). If yes, then named will only accept answers if they > | are secure. If no, then normal DNSSEC validation applies allowing > | for insecure answers to be accepted. The specified domain must be > | under a trusted-key or dnssec-lookaside must be active. > > I'd like to have a third option to disable normal DNSSEC validation for > a known-insecure zone. > > > On a related note, will the ISC's DLV zone be available for AXFR? > It used to be but isn't anymore. > > Because of the importance of DLV for any name resolution (it effectively > is a root zone), I would like to mirror the zone on my own servers and > configure the resolvers to use them in a "forward first" configuration. > > > > Hauke.
Just sign your internal zone and add a trusted-keys clause for it and you won't use DLV. named only uses dlv if the zone is provably insecure based on the trust-anchors configured. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
