Augie,
> Is there a way to exclude a domain from DNSSEC validation, like
> Unbound's "domain-insecure"?
That is regrettably not possible at the moment, at least not in BIND
9.9.0.
The only (quite impracticable) workaround would be to define the zone
authoritatively yourself and populate it somehow... (I did say
impracticable, didn't I?)
> For example if a popular site ( say nasa.gov ) updates their keys
> incorrectly so that their domain fails validation, you contact their
> admins. and with a high level of confidence you determine this is a
> configuration mistake and not a security breach, you can then
> exclude them from DNSSEC validation so your customers can access their
> site while they fix their error.
>From a Comcast talk at SATIN 2012 I believe they called that a "negative
trust anchor", and IIRC, the author wanted to publish a draft of its
operation. Haven't seen it yet though, and it's probably off topic as
regards BIND.
-JP
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
