On Tue, Feb 28, 2012 at 06:28:54PM +0000, Evan Hunt wrote: > > the one that bites us most often is that of the expired RRSIG. If > > we could log that but go ahead and accept the data, most of the > > pain would stop. > > BIND has this: "dnssec-accept-expired yes;" Note that it opens you > to replay attacks, but misconfigured zones are more common than > replay attacks, for now anyway.
Ah! Thanks. I should have checked thr ARM before posting. I guess I'll keep my validation on with this option, see how it goes. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
