On Wed, Jun 11, 2025 at 04:56:14PM +0200, Jan-Piet Mens via Pdns-users wrote:
> > rec_control add-nta domain.example botched keyroll
> >
> > would set dnssec validations for domain.example. to "off"?
>
> Correct, though the multple arguments as reason look a bit suspicious to me; I
> can
rec_control add-nta domain.example botched keyroll
would set dnssec validations for domain.example. to "off"?
Correct, though the multple arguments as reason look a bit suspicious to me; I
cannot test now, but it might be you have to quote the "botched keyroll"
arguments.
-JP
_
Thanks - i didnt know this parameter - so basically this...
rec_control add-nta domain.example botched keyroll
Added Negative Trust Anchor for domain.example. with reason 'botched keyroll'
would set dnssec validations for domain.example. to "off"?
Am Mi., 11. Juni 2025 um 16:21 Uhr
I think the safest in this situation would be to add a Negative Trust Anchor
(NTA) [1] in order to temporarily disable DNSSEC validation in your Recursor
for that particular authoritative zone. While the NTA [2] is active you could
try contacting the operator of the (obviously) broken authoritativ
