Exempt .local from dnssec validation on resolver?
John Thurston
john.thurston at alaska.gov
Thu Jul 25 20:52:18 UTC 2019
For historical reasons we have some forward-zones defined on our
resolver (v9.11.9). For example:
zone foo.local {type forward; forwarders { 10.1.2.3; };
zone bar.local {type forward; forwarders { 10.4.5.6; };
These are obviously invalid TLDs, and are defined on servers over which
I have no influence or control. The difficulty is if my named.conf contains:
dnssec-validation auto;
then I'm unable to return records for things like a.foo.local, and my
log contains info-messages of the sort:
---
lame-servers: info: insecurity proof failed resolving
'foo.local/SOA/IN': 10.1.2.3#53
dnssec: info: validating foo.local/SOA: got insecure response; parent
indicates it should be secure
---
Is there any way to tell my resolver it shouldn't be validating
responses for foo.local?
Or must I assert authority over .local and delegate authority for 'foo'
and 'bar' back to the servers which are already answering for them?
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
More information about the bind-users
mailing list