BIND 9.11 introduced Negative Trust Anchors (NTAs) as a means to temporarily disable DNSSEC validation for a zone when you know that the zone's DNSSEC is mis-configured.
NTAs are added using the
rndc command, e.g:
rndc nta example.comNegative trust anchor added: example.com/_default, expires 14-Dec-2016 13:39:09.000
The list of currently configured NTAs can also be examined using
rndc nta -dumpexample.com: expiry 14-Dec-2016 13:39:09.000
The default lifetime of an NTA is one hour although, by default,
BIND will poll the zone every five minutes to see if the zone now
correctly validates, at which point the NTA will automatically expire.
Both the default lifetime and the polling interval may be configured
named.conf, and the lifetime can be overriden on a
per-zone basis using the
-lifetime duration parameter
rndc nta. Both timer values have a permitted maximum
value of one week.