Ability to exclude a domain from DNSSEC validation?

Augie_Schwer · March 7, 2012, 1:27am

Hello, I am new to Unbound, and I was wondering if there is an easy
way to exclude a particular domain from DNSSEC validation.

For example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you determine this is a
configuration mistake and not a security breach, you can then exclude
them from DNSSEC validation so your customers can access their site
while they fix their error.

I think I can accomplish this with a "stub-zone", but if there is some
"skip-dnssec" configuration option, that seems easier.

Does anyone have any suggestions or thoughts?

Wolfgang_Nagele1 · March 7, 2012, 1:45am

Hi Augie,

Unbound has the 'domain-insecure' option for this: http://unbound.net/documentation/unbound.conf.html

Cheers,

Jan-Piet_Mens1 · March 7, 2012, 7:47am

Augie,

Hello, I am new to Unbound, and I was wondering if there is an easy
way to exclude a particular domain from DNSSEC validation.

Use Unbound's "domain-insecure" option, which you add to unbound.conf or
add on-the-fly to the running server with `unbound-control'. (Note that
ading on-the-fly doesn't survive a server restart.)

-JP

Augie_Schwer · March 7, 2012, 6:11pm

Excellent! Works like a charm, thank you. --Augie