[dns-operations] How to tell bind to ignore DNSSEC for a domain/zone
Livingood, Jason
Jason_Livingood at cable.comcast.com
Fri Oct 10 23:36:19 UTC 2014
Ah! A Negative Trust Anchor. :-)
>From an upcoming draft on the subject. Let me know if you think this does
the trick or not.
You can achive this functionality by disabling all DNSSEC algorithms
for a zone. The operator can see which algorithms the zone is using,
or simply disable all supported algorithms.
This gets placed in the "global options" section of the config file.
disable-algorithms "foo.example.com." {"RSAMD5", "RSA", "DH",
"DSA", "NSEC3DSA", "ECC", "RSASHA1", "NSEC3RSASHA1",
"RSASHA256", "RSASHA512", "ECCGOST", "ECDSAP256SHA256",
"ECDSAP384SHA384"; };
- Jason
On 10/10/14, 5:56 PM, "Franck Martin" <fmartin at linkedin.com> wrote:
>I see that unbound has a statement to tell, this domain dnssec does not
>work, ignore dnssec validation for it.
>
>How do you do the same with bind?
More information about the dns-operations
mailing list