Evan Hunt answers Jukka Pakkanen:
> In newer releases there's also a configuration option, "validate-except", > which permanently disables validation below specified domains. This can > be used, for example, if you have an internal network using a fake TLD > and you want to prevent it from showing up as bogus. ... and in a separate message, John W. Blue wrote: > 1. DNSSEC was designed for external zones I have a case where I recently had to use "validate-except" because of a domain (not mine) whose external view is signed but not the internal view; my resolver gets the internal view for that zone. Can someone enlighten me as to why "DNSSEC was designed for external zones", and under what circumstances it makes sense to *not* sign an internal view? It seems to me that it would be most consistent to sign both external and internal views. Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 a...@encs.concordia.ca +1 514 848-2424 x2285 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users