DNSSEC and forwarding
Duchscher, Dave J
dd at tamu.edu
Wed Mar 30 16:05:37 UTC 2022
We have an internal DNS server that we would like to forward its outgoing queries to a main DNS server that connects to the outside world and is doing DNSSEC validation. The problem is that the DNSSEC validation doesn't work for queries from the internal DNS server. Doing DNSSEC validation on the internal DNS server that is forwarding to the main DNS server has been problematic with some domain failing intermittently and others just not working at all. Is there a way to allow the main DNS server handle DNSSEC validation?
Here is my test setup on my laptop:
First named config running on port 10000:
logging {
category default {
_default_log;
};
channel _default_log {
file "/var/log/named/named-1.log" versions 10 size 1m;
severity info;
print-time yes;
};
};
options {
directory "/var/named-1";
listen-on port 10000 { any; };
allow-query { any; };
allow-recursion { any; };
allow-query-cache { any; };
dnssec-validation no;
forwarders {
127.0.0.1 port 11000;
};
forward only;
};
Second named config running on port 11000:
logging {
category default {
_default_log;
};
channel _default_log {
file "/var/log/named/named-2.log" versions 10 size 1m;
severity info;
print-time yes;
};
};
options {
directory "/var/named-2";
listen-on port 11000 { any; };
allow-query { any; };
allow-recursion { any; };
allow-query-cache { any; };
dnssec-validation auto;
};
--
Dave
More information about the bind-users
mailing list