On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > I'm just wondering, is an option like unbound's "domain-insecure" > intentionally not implemented in in BIND? Or did just nobody care > enough to implement it yet?
I have resisted implementing it because it's too easy for an operator to forget they knocked a hole in their DNSSEC protections, and leave the hole in place long after it stopped being useful. The negative trust anchor implementation that will be released in 9.11 corrects for this with built-in term limits. NTAs are added via rndc, and they expire and are removed after a relatively short lifespan, not exceeding a week. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
