Hi @all, I know that BIND has no feature to disable DNSSEC validation for selected Zones/Domains (when working as a recursor). One can only enable/disable DNSSEC validation globally per view (as a boolean on/off).
I found that Microsoft's DNS Server has a feature to skip the validation for some Domains. They call it NRPT (Name Resolution Policy Table). Unbound also has such a similar Feature (domain-insecure). Some of the internal Domains of our customers will fail the proof-of-non-existence. While this is technically correct, we still need access to their internal Domain to do our business... So the current all-or-nothing approach of BIND prevents us from activating DNSSEC all together (and will probably do so for years to come). I'm just wondering, is an option like unbound's "domain-insecure" intentionally not implemented in in BIND? Or did just nobody care enough to implement it yet? Regards, Stefan _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
