DNSSEC and forward zone

David Carvalho david at di.ubi.pt
Wed Apr 19 09:55:13 UTC 2023 

Anyway, It is working using your suggestion. Apparently everything is also fine  from the outside.

But I’ll have to check Petr Špaček post and study more.

Thanks!

David

 

 

From: Darren Ankney <darren.ankney at gmail.com> 
Sent: 19 April 2023 10:27
To: David Carvalho <david at di.ubi.pt>
Cc: Bind Users Mailing List <bind-users at lists.isc.org>
Subject: Re: DNSSEC and forward zone

 

Hi David,

 

You can disable validation on one or more domains using "validate-except" - https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except

 

Thank you,

 

Darren Ankney

 

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org> > wrote:

Hello guys

Asking for your help, again.

 

So after setting up DNSSEC I’ve found I couldn’t reach some internal sites on my top domain, served by internal DNS servers

There’s no need in hiding domains as my e-mail is shown here.

 

Top domain

	
	


 

 




ubi.pt <http://ubi.pt>  (external DNS Servers authoritative)

 

          Internal DNS servers (windows, Active directory - Recursive)

     <http://Internalsite1.ubi.pt> Internalsite1.ubi.pt

                    <http://Internalsite2.ubi.pt> Internalsite2.ubi.pt

                …

 

 

di.ubi.pt <http://di.ubi.pt>  

(both authoritative and recursive for my networks)

 

Previously I had the following to get internal sites resolved, but now it seems it is completely discarded by dnssec.

 

zone "ubi.pt <http://ubi.pt> " IN {

        type forward;

        forwarders { 192.168.100.1; 192.168.100.2; };

}

 

Is there any configuration to allow me  to be able to access internal sites served by internal dns servers, I guess not using DNSSEC?

Can this only be accomplished by adding these entries to my parent domain?

Thanks!

 

Kind regards

David Carvalho

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org <mailto:bind-users at lists.isc.org> 
https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230419/adabc527/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 252 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230419/adabc527/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4514 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230419/adabc527/attachment-0001.png>

More information about the bind-users mailing list