Re: Disable DNSSEC Validation for selected Domains

2015-01-17 Thread /dev/rob0
> -Ursprüngliche Nachricht- > Von: Evan Hunt [mailto:e...@isc.org] > > On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > > I'm just wondering, is an option like unbound's "domain-insecure" > > intentionally not implemented in in BIND? Or did just nobody care > > enough to

Re: Disable DNSSEC Validation for selected Domains

2015-01-14 Thread Evan Hunt
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > I'm just wondering, is an option like unbound's "domain-insecure" > intentionally not implemented in in BIND? Or did just nobody care > enough to implement it yet? I have resisted implementing it because it's too easy for an operato

Re: Disable DNSSEC Validation for selected Domains

2015-01-13 Thread Chris Buxton
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > I know that BIND has no feature to disable DNSSEC validation for selected > Zones/Domains (when working as a recursor). > One can only enable/disable DNSSEC validation globally per view (as a boolean > on/off). [...] > I'm just

Re: Disable DNSSEC Validation for selected Domains

2015-01-13 Thread Daniel Stirnimann
Hello Stefan You may also try to disable all DNSSEC algorithms for a zone: https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html Regards, Daniel On 13.01.15 14:53, stefan.las...@t-systems.com wrote: > Hi Mukund > > and thanks a lot for pointing that out! > It is already

Re: Disable DNSSEC Validation for selected Domains

2015-01-13 Thread Stefan.Lasche
Hi Mukund and thanks a lot for pointing that out! It is already more than I was hoping for :) Regards, Stefan > BIND will get support for negative trust anchors in 9.11, which will provide > the feature that you seek. An implementation is now in the master branch. > > https://tools.ietf.org

Re: Disable DNSSEC Validation for selected Domains

2015-01-13 Thread Mukund Sivaraman
Hi Stefen On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote: > Some of the internal Domains of our customers will fail the > proof-of-non-existence. While this is technically correct, we still > need access to their internal Domain to do our business... So the > current

Re: Disable DNSSEC Validation for selected Domains

2015-01-13 Thread Tony Finch
stefan.las...@t-systems.com wrote: > > I know that BIND has no feature to disable DNSSEC validation for > selected Zones/Domains (when working as a recursor). BIND 9.11 will have negative trust anchors. Tony. -- f.anthony.n.finchhttp://dotat.at/ Fair Isle: Southwest 6 to gale 8, occasionall