On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > I know that BIND has no feature to disable DNSSEC validation for selected > Zones/Domains (when working as a recursor). > One can only enable/disable DNSSEC validation globally per view (as a boolean > on/off).
[...] > I'm just wondering, is an option like unbound's "domain-insecure" > intentionally not implemented in in BIND? Or did just nobody care enough to > implement it yet? While you wait for this to become generally available, you can do what I like to do for my customers: Use two layers of recursive DNS servers. The first layer takes queries from clients, knows about your insecure domains (through stub zones, slave zones, or conditional forwarding), and does not perform DNSSEC validation. The first layer globally forwards to the second layer, which does DNSSEC validation and recursion. This second layer can also have a few other features: - Placed in the DMZ, outside the internal firewall - No access to internal namespace, internal devices, etc. - RPZ filtering, if you're going to use this You can also achieve much of this within a single named instance using two views, with forwarding from one view to the other. Chris _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
