DNSSEC and forwarding

Nicholas Miller Nicholas.Miller at Colorado.EDU
Wed Apr 13 15:08:13 UTC 2022 

I believe this is the option you are looking for:

	validate-except { domain.example; };

_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder

> On Apr 13, 2022, at 9:02 AM, Duchscher, Dave J via bind-users <bind-users at lists.isc.org> wrote:
> 
> 
>> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
>> 
>> This Message Is From an External Sender
>> This message came from outside your organization.
>> On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote:
>>> We are dropping this configuration and looking at doing something else.
>> 
>> I'm sorry to hear that.
>> 
>>> We have had intermittent issues with Slack, Microsoft, and a growing 
>>> list of domains. Even have one that consistently fails.
>> 
>> Are you able to share any specific details / examples so that others can 
>> see an example of what to loo out for?
> 
> Sure.
> 
> Just to clear, the setup looks like this:
> 
>  Internal DNS --> DMZ DNS Cache -> World
> 
> Internal DNS is forward only.  Only internal DNS allowed on the DNS
> cache systems.  DNSSEC validation can be enabled or disabled on the
> cache systems since named always sets the check disabled flag when
> forwarding. This also means that you can't forward to an upstream
> DNS system and have it do the DNSSEC validation. Wish there was a
> way to turn this off or if it would only set the check disabled
> flag when DNSSEC validation is enabled.
> 
> Failures mode is that everything looks to work and then a domain
> will stop resolving.  Sometimes we get timeouts, sometimes SERVFAIL,
> and other times NXDOMAIN.
> 
> On a test setup with fresh restart, these domains always fail.
> 
>    cybr.club
>    am-explorer.com
>    simutext.com
>    simutext2.com
> 
> These domains fail randomly and we have not been able to produce
> the failure.
> 
>    a.slack-edge.com
>    portal.azure.com
>    rex-sftp.bncollege.com
> 
> There is also our teams and sharepoint domains but rather not put
> them here.
> 
> I hope this helps. Needless to say, it has been a frustration
> situation.
> --
> Dave
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list