strange dnssec question

Mark Andrews marka at isc.org
Wed Aug 18 00:49:16 UTC 2021 

> On 18 Aug 2021, at 10:23, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> 
> Hola Mark,
> 
> Thank you, so to be clear, what is mean to delegate zone, the black zone? I am not dns expert unfortunately

Yes, create a seperate zone for black.example.net.

In example.net you add NS records for black.example.net.  They can use the
same nameservers as for example.net.

black.example.net. NS some.name.server.
black.example.net. NS some-other.name.server

you will end up with 2 zone clauses.  Apart from the obvious name differences
you won’t add the instructions to sign black.example.net to its stanza.

zone example.net {
	type primary;
	file “example.net.db”;
	...
};

zone black.example.net {
	type primary;
	file “black.example.net.db”;
	...
};

The top of black.example.net.db has an SOA record and the same NS records
as you put in the parent zone for it.  The two sets of NS records are
supposed to be the same.

Mark

> On Wed, Aug 18, 2021 at 6:23 AM Mark Andrews <marka at isc.org> wrote:
> Delegate the zone. Do NOT add a DS for it.
> 
> -- 
> Mark Andrews
> 
>> On 17 Aug 2021, at 23:47, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
>> 
>> 
>> Hola
>> 
>> We have dnssec working for long time but need now to have a subdomain excluded, we are going to be use it to replace an internal blacklist, we have 14 smtp servers and it is cumbersome to keep in sync.
>> 
>> So we have example.net signed,
>> but we want black.example.net, and of course all addresses under, eg:  4.3.2.1.black.example.net  to work, at present of course this presents SERVFAIL because dnssec, obvious "black" needs to be in example.net zone, nd its dns is ns999 whichwork when dnssec disabled but this is not optimum
>> 
>> looking for suggestion or guidance to how we fix this please? Ir this is not possible?
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list