Hello, Is there a way to disable dnssec validation for a single zone? The people who run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned, and has no corresponding dnskey record, so validation fails. Users here, who must reach various something.ojp.usdoj.gov hosts cannot do so as the names are unresolvable on our network.
The last time there was a dns issue with usdoj.gov, it took about 3 weeks for them to fix it. I'd like to come up with a way to resolve ojp.usdoj.gov names without disabling validation altogether until they fix their issues. I've tried setting ojp.usdoj.gov as a forward zone and forwarding to a non-validating resolver, but that doesn't seem to work. Ron Dodson Sr. Network Engineer ron.dod...@lmco.com<mailto:ron.dod...@lmco.com> 301-519-6502 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
