Support for "negative trust anchors" in bind

Solution Verified - Updated -


  • Red Hat Enterprise Linux 7


  • bind 9.11 included more fine grained DNSSEC validation features, called negative trust anchors (see IETF RFC 7646)
  • This would allow to use DNSSEC for all queries, while the DNSSEC validation for specific domains known to be failing validation due to administrative error could still be disabled


Update to bind-9.9.4-72.el7 shipped with Advisory RHBA-2018:3136 or newer.

Root Cause

Previously, if DNSSEC validation was enabled and a specific domain was failing, no hosts in that domain could be reached. With this release, you can configure exemptions from DNS Security Extensions (DNSSEC) validation for selected zones if the validation fails because of incorrect configuration, not an attack. The addresses of the hosts in the failing domain are resolved as unsigned and can be reached, while all other names are validated for security risks.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.