Hm... In our case a short lifespan won't be enough. Our customer uses a fictional Toplevel Domain and migrating the whole Infrastructure to a new, proper Domain will take him months if not years. They'll have to adjust every DNS Config of every Server, every Webservice they have running internally, all Documentations etc... I wouldn't be surprised if they are not even aware of the problem, yet.
Regards, Stefan -----Ursprüngliche Nachricht----- Von: Evan Hunt [mailto:e...@isc.org] Gesendet: Mittwoch, 14. Januar 2015 09:13 An: Lasche, Stefan Cc: BIND Users Betreff: Re: Disable DNSSEC Validation for selected Domains On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > I'm just wondering, is an option like unbound's "domain-insecure" > intentionally not implemented in in BIND? Or did just nobody care > enough to implement it yet? I have resisted implementing it because it's too easy for an operator to forget they knocked a hole in their DNSSEC protections, and leave the hole in place long after it stopped being useful. The negative trust anchor implementation that will be released in 9.11 corrects for this with built-in term limits. NTAs are added via rndc, and they expire and are removed after a relatively short lifespan, not exceeding a week. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
