Maintained by: NLnet Labs

[Unbound-users] Ability to exclude a domain from DNSSEC validation?

Augie Schwer
Wed Mar 7 02:27:25 CET 2012

Hello, I am new to Unbound, and I was wondering if there is an easy
way to exclude a particular domain from DNSSEC validation.

For example if a popular site ( say ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you determine this is a
configuration mistake and not a security breach, you can then  exclude
them from DNSSEC validation so your customers can access their site
while they fix their error.

I think I can accomplish this with a "stub-zone", but if there is some
"skip-dnssec" configuration option, that seems easier.

Does anyone have any suggestions or thoughts?

Augie Schwer    -    Augie at    -