While calling them sounds fun, I wonder if we need a Soft Failure mode sooner rather than later during dnssec deployment.
Or a way to have bind 9 report broken dnssec to a central site where we or a group of ISC-blessed volunteers call them after X reports of brokenness. --Michael (from an iPhone) On Aug 4, 2011, at 19:37, Mark Andrews <ma...@isc.org> wrote: > > In message <ca603693.38da5%ron.dod...@lmco.com>, "Dodson, Ron" writes: >> Hello, >> >> Is there a way to disable dnssec validation for a single zone? > > No. > >> The people wh >> o run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp. >> usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned, >> and has no corresponding dnskey record, so validation fails. Users here, who >> must reach various something.ojp.usdoj.gov hosts cannot do so as the names a >> re unresolvable on our network. > > Well call them up on the phone and complain that their DNS servers > are broken. +1-202-514-2000 > > It should take seconds to get the DS records removed. They can then > re-do the secure delegation once the zone is signed. > >> The last time there was a dns issue with usdoj.gov, it took about 3 weeks for >> them to fix it. I'd like to come up with a way to resolve ojp.usdoj.gov nam >> es without disabling validation altogether until they fix their issues. I've >> tried setting ojp.usdoj.gov as a forward zone and forwarding to a non-valida >> ting resolver, but that doesn't seem to work. > > If it takes 3 weeks to get things fixed then someone is plain incompetent. > > Mark > >> Ron Dodson >> Sr. Network Engineer >> ron.dod...@lmco.com<mailto:ron.dod...@lmco.com> >> 301-519-6502 >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
