DNS Tech Support Training Courses DNSSEC Consulting DNS Monitoring System Audit Customer Portal
The DNS Institute
Documentation Implementations Research DNS History Free DNS Tools

Negative Trust Anchors

BIND 9.11 introduced Negative Trust Anchors (NTAs) as a means to temporarily disable DNSSEC validation for a zone when you know that the zone's DNSSEC is mis-configured.

NTAs are added using the rndc command, e.g:

$ rndc nta example.com
 Negative trust anchor added: example.com/_default, expires 14-Dec-2016 13:39:09.000

The list of currently configured NTAs can also be examined using rndc, e.g:

$ rndc nta -dump
 example.com: expiry 14-Dec-2016 13:39:09.000

The default lifetime of an NTA is one hour although, by default, BIND will poll the zone every five minutes to see if the zone now correctly validates, at which point the NTA will automatically expire. Both the default lifetime and the polling interval may be configured via named.conf, and the lifetime can be overriden on a per-zone basis using the -lifetime duration parameter to rndc nta. Both timer values have a permitted maximum value of one week.

Contact Us | About | Site Map |  Gab |  Twitter