0

In a domain running DNSSEC, is it possible to exclude a single record from DNSSEC? For example, would it be possible to have mail.example.com running DNSSEC, but www.example.com not running DNSSEC? The reason for asking is we have a webhosting provider who has issues setting up SSL/TLS for a site because we have DNSSEC running on the DNS for our zone?

I can't see a way to do this in the Bind documentation, but is there some other way?

Sam Critchley
  • 171
  • 1
  • 3
  • Quantim answer is right but DNSSEC is already complicated by itself and full of traps, so I really recommend to just either do fully DNSSEC correctly or no DNSSEC at all, as any "partial" solution will only bring you more troubles. I am not sure to understand the "ho has issues setting up SSL/TLS for a site because we have DNSSEC running on the DNS for our zone" I do not see the relationship between the two and I think this is your real problem to solve instead of trying to play with DNSSEC setup in a way it was not planned to be done. – Patrick Mevzek Jan 01 '19 at 16:53

1 Answers1

4

Theoreticaly this can be done by creating unsigned subzone for given name but don't do it Much better way is change webhosting provider, because yours is incompetent. If DNSSEC brokes their SSL/TLS settings, they do some ugly magic with DNS and this is nothing which you want in your zone.

Quantim
  • 1,358
  • 10
  • 15