Resolve some hosts thats are dnssec signed differently

Darren Ankney darren.ankney at gmail.com
Sun Feb 5 12:08:34 UTC 2023 

Matthias,

This is what I did to force my resolver bind instance to lookup my
internal domain directly on my authoritative bind instance without
asking any other servers (would have failed anyway as it is a fake
domain "mylocal"):

// on resolver (or caching name server)
zone "mylocal" {
  type forward;
  forwarders {
    192.168.40.142; // authoritative server 1
    192.168.40.182; // authoritative server 2
  };
  forward only; // don't ask any other server
};

Not sure if that will break dnssec for you. There are probably other
way(s) to accomplish this, especially for a real domain on real IP
address(s). But maybe its somewhere to start.

-Darren

On Sun, Feb 5, 2023 at 1:21 AM Matthias Fechner <idefix at fechner.net> wrote:
>
> Dear all,
>
> I have a question regarding a setup I use at home.
> It is for domain idefix.fechner.net.
>
> I have at home a small server running with some services at it. As I do
> not have a public IP, I tunnel traffic using pf on FreeBSD and openvpn
> to route a public IP to my server at home.
> This works nice but if I now access idefix.fechner.net it will always go
> outside to the internet and then back through the tunnel to my local
> server which is a real performance problem, as the internet connection
> here is really slow.
>
> The complete domain is dnssec signed using the following configuration:
> zone "fechner.net" {
>          type master;
>          file "../master/fechner.net/fechner.net";
>          dnssec-policy "one-year-zsk";
>          inline-signing yes;
> };
>
> Now I want to make sure if I access idefix.fechner.net that it does not
> use the tunnel but access it directly using the local address.
>
> So the idea was to configure my named running at home to resolve some
> host names differently.
>
> What is here recommended best practice doing it?
>
> Just added a new domain fechner.net and overwrite some A records? I
> think that will break dnssec or?
>
> Thanks for any pointer into the right direction.
>
> Gruß
> Matthias
>
> --
>
> "Programming today is a race between software engineers striving to
> build bigger and better idiot-proof programs, and the universe trying to
> produce bigger and better idiots. So far, the universe is winning." --
> Rich Cook
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list