Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17
Tony Finch
dot at dotat.at
Thu Jan 27 14:27:29 UTC 2022
Gehrkens.IT GmbH | Heiko Wundram <heiko.wundram at gehrkens.it> wrote:
>
> From what I gather, this behaviour sounds almost like what RFC 8020 proposes
> (NXDOMAIN cut), but at least according to the corresponding ticket, that
> isn't implemented in BIND.
The other things that can cause the behaviour you observed are
synth-from-dnssec and qname-minimization.
It might make sense to forward the whole of .lan and .local to your
Windows resolvers, assuming you have one set of servers that knows the
whole namespace.
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
Bailey: Northwest 5 or 6, backing southwest 6 to gale 8, perhaps
severe gale 9 later. Very rough, becoming rough for a time. Showers,
rain later. Good, becoming moderate or poor later.
More information about the bind-users
mailing list