> -----Ursprüngliche Nachricht----- > Von: Evan Hunt [mailto:e...@isc.org] > > On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > > I'm just wondering, is an option like unbound's "domain-insecure" > > intentionally not implemented in in BIND? Or did just nobody care > > enough to implement it yet? > > I have resisted implementing it because it's too easy for an > operator to forget they knocked a hole in their DNSSEC protections, > and leave the hole in place long after it stopped being useful. > > The negative trust anchor implementation that will be released in > 9.11 corrects for this with built-in term limits. NTAs are added > via rndc, and they expire and are removed after a relatively short > lifespan, not exceeding a week.
On Wed, Jan 14, 2015 at 10:34:35AM +0100, stefan.las...@t-systems.com wrote: > Hm... In our case a short lifespan won't be enough. I hate to point this out, but a simple workaround to make NTAs permanent is to have a cron job which runs your "rndc nta" command as often as needed. May Evan and the gods of DNSSEC have mercy on my soul! :( > Our customer uses a fictional Toplevel Domain and migrating the > whole Infrastructure to a new, proper Domain will take him months > if not years. They'll have to adjust every DNS Config of every > Server, every Webservice they have running internally, all > Documentations etc... I wouldn't be surprised if they are not even > aware of the problem, yet. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
