DNSSEC and forward zone

David Carvalho david at di.ubi.pt
Wed Apr 19 09:49:41 UTC 2023 

 

Hi and thanks for the reply.

Does it make sense to not validate my parent domain entirely? Wouldn’t that also stop exterior validation when I request it?

Thanks!

David

 

From: Darren Ankney <darren.ankney at gmail.com> 
Sent: 19 April 2023 10:27
To: David Carvalho <david at di.ubi.pt>
Cc: Bind Users Mailing List <bind-users at lists.isc.org>
Subject: Re: DNSSEC and forward zone

 

Hi David,

 

You can disable validation on one or more domains using "validate-except" - https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except

 

Thank you,

 

Darren Ankney

 

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org> > wrote:

Hello guys

Asking for your help, again.

 

So after setting up DNSSEC I’ve found I couldn’t reach some internal sites on my top domain, served by internal DNS servers

There’s no need in hiding domains as my e-mail is shown here.

 

Top domain

	
	


 

 




ubi.pt <http://ubi.pt>  (external DNS Servers authoritative)

 

          Internal DNS servers (windows, Active directory - Recursive)

    Internalsite1.ubi.pt <http://Internalsite1.ubi.pt> 

                   Internalsite2.ubi.pt <http://Internalsite2.ubi.pt> 

                …

 

 

di.ubi.pt <http://di.ubi.pt>  

(both authoritative and recursive for my networks)

 

Previously I had the following to get internal sites resolved, but now it seems it is completely discarded by dnssec.

 

zone "ubi.pt <http://ubi.pt> " IN {

        type forward;

        forwarders { 192.168.100.1; 192.168.100.2; };

}

 

Is there any configuration to allow me  to be able to access internal sites served by internal dns servers, I guess not using DNSSEC?

Can this only be accomplished by adding these entries to my parent domain?

Thanks!

 

Kind regards

David Carvalho

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org <mailto:bind-users at lists.isc.org> 
https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230419/6c358dd2/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 252 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230419/6c358dd2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4514 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230419/6c358dd2/attachment-0003.png>

More information about the bind-users mailing list