- Red Hat Enterprise Linux 7
bind 9.11included more fine grained
DNSSECvalidation features, called
negative trust anchors(see
IETF RFC 7646)
- This would allow to use
DNSSECfor all queries, while the
DNSSECvalidation for specific domains known to be failing validation due to administrative error could still be disabled
bind-9.9.4-72.el7 shipped with Advisory RHBA-2018:3136 or newer.
DNSSEC validation was enabled and a specific domain was failing, no hosts in that domain could be reached. With this release, you can configure exemptions from
DNS Security Extensions (
DNSSEC) validation for selected zones if the validation fails because of incorrect configuration, not an attack. The addresses of the hosts in the failing domain are resolved as unsigned and can be reached, while all other names are validated for security risks.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.