Maintained by: NLnet Labs

[Unbound-users] Ability to exclude a domain from DNSSEC validation?

Wolfgang Nagele
Wed Mar 7 02:45:58 CET 2012

Hi Augie,

Unbound has the 'domain-insecure' option for this:


Wolfgang Nagele
Senior Systems and Network Administrator
AusRegistry Pty Ltd
Level 8, 10 Queens Road
Melbourne, Victoria, Australia, 3004
Phone +61 3 9090 1756
Email: wolfgang.nagele at

The information contained in this communication is intended for the named recipients only. It is subject to copyright and may contain legally privileged and confidential information and if you are not an intended recipient you must not use, copy, distribute or take any action in reliance on it. If you have received this communication in error, please delete all copies from your system and notify us immediately.

On Mar 7, 2012, at 12:27 PM, Augie Schwer wrote:

> Hello, I am new to Unbound, and I was wondering if there is an easy
> way to exclude a particular domain from DNSSEC validation.
> For example if a popular site ( say ) updates their keys
> incorrectly so that their domain fails validation, you contact their
> admins. and with a high level of confidence you determine this is a
> configuration mistake and not a security breach, you can then  exclude
> them from DNSSEC validation so your customers can access their site
> while they fix their error.
> I think I can accomplish this with a "stub-zone", but if there is some
> "skip-dnssec" configuration option, that seems easier.
> Does anyone have any suggestions or thoughts?
> -- 
> Augie Schwer    -    Augie at    -
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at