In message <10d9f4dd-1be6-41ff-954d-fd223547d...@virtualized.org>, David Conrad
writes:
> Tim,
>
> On Oct 29, 2014, at 2:55 PM, Morizot Timothy S
> <timothy.s.mori...@irs.gov> wrote:
> > If an authoritative domain (e.g. irs.gov) screwed up its delegation NS
> records so it effectively went dark or made some similar sort of
> authoritative DNS or nameserver error, we wouldn't expect the recursive,
> caching side to resolve those sorts of errors. The domain's DNS would
> simply be unavailable until they resolved their problem.
> >
> > I'm not sure I understand why DNSSEC is somehow different.
>
> Because folks who aren't validating see no problems, thus discouraging
> people from leaving validation on.
>
> To wit, on NANOG:
>
> > From: Ray Van Dolson <rvandol...@esri.com>
>
> "I saw the same errors in dnsviz, but was unsure if they were sufficient
> to cause lookup failures (they were "warnings" only).
>
> # dig @8.8.8.8 disa.mil MX +dnssec
> ...
> I do note that once we disabled DNSSEC on our resolvers we were able to
> push mail out to these domains. May have been coincidental -- needs
> further testing."
>
> I figure it would be nice to give people the option of disabling
> validation for a single domain instead of turning validation off for
> everything.
I suspect you will find there are ways to do this in all the
validators.
BIND has had the following for ages which I know David knows.
disable-algorithms <string> { <string>; ... };
BIND 9.11 will allow for disabling via rndc with automatic periodic
testing and re-enabling when validation of the SOA succeeds.
Validation will also be automatically re-enabled after a timer goes
off.
Mark
> Regards,
> -drc
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
