In message <ca603693.38da5%ron.dod...@lmco.com>, "Dodson, Ron" writes: > Hello, > > Is there a way to disable dnssec validation for a single zone?
No. > The people wh > o run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp. > usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned, > and has no corresponding dnskey record, so validation fails. Users here, who > must reach various something.ojp.usdoj.gov hosts cannot do so as the names a > re unresolvable on our network. Well call them up on the phone and complain that their DNS servers are broken. +1-202-514-2000 It should take seconds to get the DS records removed. They can then re-do the secure delegation once the zone is signed. > The last time there was a dns issue with usdoj.gov, it took about 3 weeks for > them to fix it. I'd like to come up with a way to resolve ojp.usdoj.gov nam > es without disabling validation altogether until they fix their issues. I've > tried setting ojp.usdoj.gov as a forward zone and forwarding to a non-valida > ting resolver, but that doesn't seem to work. If it takes 3 weeks to get things fixed then someone is plain incompetent. Mark > Ron Dodson > Sr. Network Engineer > ron.dod...@lmco.com<mailto:ron.dod...@lmco.com> > 301-519-6502 > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
