> I'm about to start DNSSEC validation on my resolvers (BIND 9.8) but > wanted to know beforehand if there was a way to disable DNSSEC > validation for particular domains. I searched the archives and found > the answer to be "no" (at present time).
The answer is still no. We do have "negative trust anchors" on the roadmap for 9.11, but that's not scheduled for release until 2015. (I might make it available as an unsupported patch before then if there's demand for it, but not as an official published release.) It'll be implemented as an rndc command that temporarily suppresses DNSSEC validation below a specified name, for a configurable period of time defaulting to one hour and not exceeding one day. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users