strange dnssec question

Edwardo Garcia wdgarc88 at gmail.com
Wed Aug 18 01:08:21 UTC 2021 

Thank you, I'll report back the result



On Wed, Aug 18, 2021 at 10:49 AM Mark Andrews <marka at isc.org> wrote:

>
> > On 18 Aug 2021, at 10:23, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> >
> > Hola Mark,
> >
> > Thank you, so to be clear, what is mean to delegate zone, the black
> zone? I am not dns expert unfortunately
>
> Yes, create a seperate zone for black.example.net.
>
> In example.net you add NS records for black.example.net.  They can use the
> same nameservers as for example.net.
>
> black.example.net. NS some.name.server.
> black.example.net. NS some-other.name.server
>
> you will end up with 2 zone clauses.  Apart from the obvious name
> differences
> you won’t add the instructions to sign black.example.net to its stanza.
>
> zone example.net {
>         type primary;
>         file “example.net.db”;
>         ...
> };
>
> zone black.example.net {
>         type primary;
>         file “black.example.net.db”;
>         ...
> };
>
> The top of black.example.net.db has an SOA record and the same NS records
> as you put in the parent zone for it.  The two sets of NS records are
> supposed to be the same.
>
> Mark
>
> > On Wed, Aug 18, 2021 at 6:23 AM Mark Andrews <marka at isc.org> wrote:
> > Delegate the zone. Do NOT add a DS for it.
> >
> > --
> > Mark Andrews
> >
> >> On 17 Aug 2021, at 23:47, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> >>
> >> 
> >> Hola
> >>
> >> We have dnssec working for long time but need now to have a subdomain
> excluded, we are going to be use it to replace an internal blacklist, we
> have 14 smtp servers and it is cumbersome to keep in sync.
> >>
> >> So we have example.net signed,
> >> but we want black.example.net, and of course all addresses under, eg:
> 4.3.2.1.black.example.net  to work, at present of course this presents
> SERVFAIL because dnssec, obvious "black" needs to be in example.net zone,
> nd its dns is ns999 whichwork when dnssec disabled but this is not optimum
> >>
> >> looking for suggestion or guidance to how we fix this please? Ir this
> is not possible?
> >>
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >>
> >> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >>
> >>
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210818/6e97c3d4/attachment-0001.htm>

More information about the bind-users mailing list