On 05/06/2026 08.57, Jiri Masek via knot-resolver-users wrote:
I believe this cannot be solved on knot-resolver, since negative-trust-anchors does not disable that aggressive cache for selected domains.

OK.  At a glance, it makes sense to turn of aggressive synthesis for names under a negative TA, so I'd like that in future.

In the current version, similar use cases were meant (since commit 6f1d9b6140f0e) to be covered by:

forward:
  - subtree: "corp"
    servers:
      - 10.11.2.36
    options:
      authoritative: false
      dnssec: false

(or with authoritative: true in case you have also auth server for these names)

The general cases were expected to go directly without forwarding, but I believe you can combine like:

forward:
  - subtree: "."
    servers:
      - 10.11.2.36
    options:
      authoritative: false
      dnssec: true
  - subtree: "corp"
    servers:
      - 10.11.2.36
    options:
      authoritative: false
      dnssec: false

I haven't really tested these now, but at a glance the code for disabling aggressive synthesis should fire for names covered by forwarding with dnssec: false.

--Vladimir