AW: Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17
Gehrkens.IT GmbH | Heiko Wundram
heiko.wundram at gehrkens.it
Thu Jan 27 15:05:11 UTC 2022
Hello Tony,
> The other things that can cause the behaviour you observed are synth-from-
> dnssec and qname-minimization.
thanks for the heads up concerning synth-from-dnssec; I thought the default
was "no", but that seems to have changed somewhere between 9.14 and 9.16...
I've just changed that and let's see whether that changes the behaviour. At
least, from the documentation it sounds like it should have the same effect.
qname-minimization is set to relaxed, so that shouldn't have an effect, and
at least all Windows AD DNS-servers I know can cope with
normalized/minimized queries.
> It might make sense to forward the whole of .lan and .local to your
Windows
> resolvers, assuming you have one set of servers that knows the whole
> namespace.
As the AD domains aren't part of a singular forest, there is no "global" lan
or local zone, alas. I'm also only able to access other forwarders (rather:
firewalls connected via VPN to the resolver), not the nameservers of the
disjointed forests themselves, which is the main point why setting up an
aggregate .lan/.local-zone is rather difficult, as I can't even put in
proper glue if I were to synthesize a corresponding zone. But I'll try with
synth-from-dnssec, that should do the trick. Thanks!
--- Heiko.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6650 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220127/6ff5bf96/attachment.bin>
More information about the bind-users
mailing list