DNSSEC and forward zone
Petr Špaček
pspacek at isc.org
Wed Apr 19 11:11:07 UTC 2023
This confirms that NS record is missing. If there were NS record in
ubi.pt zone the validator would have detected that the AD zone is not
signed.
To fix that just add the NS record and it should start working again.
Petr Špaček
On 19. 04. 23 12:42, David Carvalho wrote:
> Hello and thanks.
> For now I disabled dnssec for the zone, as there were sites that need to be accessible.
>
> I found
> dnssec: info: validating internalsite2.ubi.pt/CNAME: got insecure response; parent indicates it should be secure
>
> I've been told Internal dns (windows) are not set to use dnssec, and even if they were, the key would be different than that on the outside servers, which is the same domain.
>
> Not optimistic....
> Regards
> David
>
>
>
> -----Original Message-----
> From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Petr Špacek
> Sent: 19 April 2023 10:35
> To: bind-users at lists.isc.org
> Subject: Re: DNSSEC and forward zone
>
> You can disable it, but that's just workaround.
> It would be better to fix it :-)
>
> I would recommend checking logs on resolver which is failing to resolve the domain. I guess you will find out a DNSSEC validation error would tell us what's misconfigured.
>
> My bet is that the internal domains are missing delegation from the parent domain, which was incorrect even before and worked just accidentally.
>
> E.g the ubi.pt zone file needs NS records which point to subdomains Internalsite1.ubi.pt and di.ubi.pt etc.
>
> If you do not want these domains to resolve from outside, just configure ACL on the authoritative servers to not respond to queries from outside of your network.
>
> I hope it helps.
> Petr Špaček
>
>
>
> On 19. 04. 23 11:27, Darren Ankney wrote:
>> Hi David,
>>
>> You can disable validation on one or more domains using
>> "validate-except" -
>> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statem
>> ent-validate-except
>> <https://bind9.readthedocs.io/en/latest/reference.html#namedconf-state
>> ment-validate-except>
>>
>> Thank you,
>>
>> Darren Ankney
>>
>> On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users
>> <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>> wrote:
>>
>> Hello guys____
>>
>> Asking for your help, again.____
>>
>> __ __
>>
>> So after setting up DNSSEC I’ve found I couldn’t reach some internal
>> sites on my top domain, served by internal DNS servers____
>>
>> There’s no need in hiding domains as my e-mail is shown here.____
>>
>> __ __
>>
>> Top domain____
>>
>> __
>>
>>
>>
>> ____ __
>>
>> __ __
>>
>>
>> ubi.pt <http://ubi.pt> (external DNS Servers authoritative)____
>>
>> __ __
>>
>> Internal DNS servers (windows, Active directory -
>> Recursive)____
>>
>> Internalsite1.ubi.pt <http://Internalsite1.ubi.pt>____
>>
>> ____Internalsite2.ubi.pt <http://Internalsite2.ubi.pt>____
>>
>> ____ …____
>>
>> __ __
>>
>> __ __
>>
>> di.ubi.pt <http://di.ubi.pt> ____
>>
>> (both authoritative and recursive for my networks)____
>>
>> __ __
>>
>> Previously I had the following to get internal sites resolved, but
>> now it seems it is completely discarded by dnssec.____
>>
>> __ __
>>
>> zone "ubi.pt <http://ubi.pt>" IN {____
>>
>> type forward;____
>>
>> forwarders { 192.168.100.1; 192.168.100.2; };____
>>
>> }____
>>
>> __ __
>>
>> Is there any configuration to allow me to be able to access
>> internal sites served by internal dns servers, I guess not using
>> DNSSEC?____
>>
>> Can this only be accomplished by adding these entries to my parent
>> domain?____
>>
>> Thanks!
--
Petr Špaček
More information about the bind-users
mailing list