[nsd-users] intentional bad DNSSEC and NSEC3

Michael A. Peters mpeters at domblogger.net
Sun Apr 9 04:54:25 UTC 2017

Hello list,

I am attempting to create a single record in a zone file that will not 
DNSSEC validate. The purpose of this is to give myself a means of 
checking DNSSEC validation on my local systems.

What I am doing is creating both an A and AAAA record with the name 
ffinvalid and then after signing the zone, using sed to change ffinvalid 
to invalid.

What I don't know is what impact, if any, that will have on NSEC3 
records. Will that break by NSEC3 records?

More information about the nsd-users mailing list