DNSSEC and forward zone
David Carvalho
david at di.ubi.pt
Wed Apr 19 09:49:41 UTC 2023
Hi and thanks for the reply.
Does it make sense to not validate my parent domain entirely? Wouldn’t that also stop exterior validation when I request it?
Thanks!
David
From: Darren Ankney <darren.ankney at gmail.com>
Sent: 19 April 2023 10:27
To: David Carvalho <david at di.ubi.pt>
Cc: Bind Users Mailing List <bind-users at lists.isc.org>
Subject: Re: DNSSEC and forward zone
Hi David,
You can disable validation on one or more domains using "validate-except" - https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except
Thank you,
Darren Ankney
On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org> > wrote:
Hello guys
Asking for your help, again.
So after setting up DNSSEC I’ve found I couldn’t reach some internal sites on my top domain, served by internal DNS servers
There’s no need in hiding domains as my e-mail is shown here.
Top domain
ubi.pt <http://ubi.pt> (external DNS Servers authoritative)
Internal DNS servers (windows, Active directory - Recursive)
Internalsite1.ubi.pt <http://Internalsite1.ubi.pt>
Internalsite2.ubi.pt <http://Internalsite2.ubi.pt>
…
di.ubi.pt <http://di.ubi.pt>
(both authoritative and recursive for my networks)
Previously I had the following to get internal sites resolved, but now it seems it is completely discarded by dnssec.
zone "ubi.pt <http://ubi.pt> " IN {
type forward;
forwarders { 192.168.100.1; 192.168.100.2; };
}
Is there any configuration to allow me to be able to access internal sites served by internal dns servers, I guess not using DNSSEC?
Can this only be accomplished by adding these entries to my parent domain?
Thanks!
Kind regards
David Carvalho
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230419/6c358dd2/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 252 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230419/6c358dd2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4514 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230419/6c358dd2/attachment-0003.png>
More information about the bind-users
mailing list