Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > > I wonder why does it do that. I have configured a zone to be type > forward and expected it to work as confdigured, not be validated > upstream.
Validation is mostly independent of resolution, so even if you configure a zone explicitly, the validator will still go chatting to its parent zones in search of its delegation. (The exception is authoritative zones, which are not validated.) > Do people with private versions of domains have this problem too when > using DNSSEC? Yes :-) I'm relatively lucky that my predecessors set up private.cam.ac.uk rather than a shadow cam.ac.uk which made it easier for them to roll out DNSSEC. > I have feeling that we need to reserve TLD for internal private domains > that would be guaranteed not to use DNSSEC at all. There's no need for that (and that would involve a lot of tricky politics). Instead, either use a subdomain of an existing domain (like us) or register a domain with an insecure delegation for internal use. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Lundy, Fastnet, Irish Sea: Variable 4, becoming southwest 5 or 6. Very rough at first in southwest Fastnet, otherwise slight or moderate, occasionally rough except in Irish Sea. Wintry showers, then occasional rain. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users