DNSSEC and forward zones
Lyle Giese
lyle at lcrcomputer.net
Tue Nov 1 18:24:41 UTC 2011
On 11/1/2011 11:23 AM, Phil Mayers wrote:
> On 01/11/11 16:14, Vinny_Abello at Dell.com wrote:
>
>> resolution fail since NXDOMAIN is the valid answer... done, end of
>> story. I thought the forwarder type would bypass this but apparently
>> I am wrong. Is there some other way to handle this for non-existent
>> domains just for testing purposes?
>
> Don't do this. Use a domain you own, and can put a valid (insecure)
> delegation into.
>
> It might be possible with "type static-stub" in bind 9.8, but I don't
> think so; I think it'll have the same effect.
A work-around (and it has some side effects and could be undesirable,
just be aware of the side effects of doing this) is to declare .internal
as a master zone in your DNS servers and then delegate
policydomain.internal to your Windows AD servers in your .internal zone.
I am not saying this is a perfect answer, but it worked for me in a
similar situation.
Lyle Giese
LCR Computer Services, Inc.
More information about the bind-users
mailing list