[dns-operations] How to tell bind to ignore DNSSEC for a domain/zone

Livingood, Jason Jason_Livingood at cable.comcast.com
Fri Oct 10 23:36:19 UTC 2014

Ah! A Negative Trust Anchor. :-)

>From an upcoming draft on the subject. Let me know if you think this does
the trick or not.

You can achive this functionality by disabling all DNSSEC algorithms
   for a zone.  The operator can see which algorithms the zone is using,
   or simply disable all supported algorithms.

   This gets placed in the "global options" section of the config file.

   disable-algorithms "foo.example.com." {"RSAMD5", "RSA", "DH",
     "RSASHA256", "RSASHA512", "ECCGOST", "ECDSAP256SHA256",
     "ECDSAP384SHA384"; };

- Jason

On 10/10/14, 5:56 PM, "Franck Martin" <fmartin at linkedin.com> wrote:

>I see that unbound has a statement to tell, this domain dnssec does not
>work, ignore dnssec validation for it.
>How do you do the same with bind?

More information about the dns-operations mailing list