On Aug 5 2011, Mark Andrews wrote:
In message <ca603693.38da5%ron.dod...@lmco.com>, "Dodson, Ron" writes:
Hello,
Is there a way to disable dnssec validation for a single zone?
No.
Without wanting to argue about whether it would be appropriate to use
such a mechanism (if it existed) in this particular case, this question
does seem to crop up from time to time, usually in conjunction with "but
unbind has such a facility". E.g. it came up on the dnssec-deployment
mailing list recently in connection with 239.in-addr.arpa being signed
and empty, and thus more or less forcing any local reverse zone for
part of 239/8 to be signed and have a local trust anchor as well.
Maybe I am missing something, but it wouldn't seem to be too technically
difficult to have an "anti-trust anchor" declaring that a particular zone
is to be considered provably insecure. Is it then, a political matter,
reflecting a belief that (a) it would be misused and/or (b) even local
zones should be signed anyway?
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
