Hello, As a *temporary* solution, you could configure you validating caching name server as authoritative for that name. The authoritative part/answer is taken before the cache, regardless of DS records in the parent indicating that RRSIG's should be present.
One point of attention : don't have validating forwarders forward to such a caching name server - for a validating forwarder both the DS and the "fake" authoritative answer end up in its cache ! (if you use validating forwarders, you would have to make each forwarder authoritative for that something... ) Only a *temporary* solution, until the remote side DNS administrators get their thing fixed !!! Kind regards, Marc Lampo Security Officer EURid vzw/asbl -----Original Message----- From: Dodson, Ron [mailto:ron.dod...@lmco.com] Sent: 04 August 2011 05:47 PM To: bind-users@lists.isc.org Subject: Is there a way to disable dnssec validation for a single zone? Hello, Is there a way to disable dnssec validation for a single zone? The people who run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned, and has no corresponding dnskey record, so validation fails. Users here, who must reach various something.ojp.usdoj.gov hosts cannot do so as the names are unresolvable on our network. The last time there was a dns issue with usdoj.gov, it took about 3 weeks for them to fix it. I'd like to come up with a way to resolve ojp.usdoj.gov names without disabling validation altogether until they fix their issues. I've tried setting ojp.usdoj.gov as a forward zone and forwarding to a non-validating resolver, but that doesn't seem to work. Ron Dodson Sr. Network Engineer ron.dod...@lmco.com<mailto:ron.dod...@lmco.com> 301-519-6502 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
