Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
I wonder why does it do that. I have configured a zone to be type
forward and expected it to work as confdigured, not be validated
upstream.
On 07.02.18 14:14, Tony Finch wrote:
Validation is mostly independent of resolution, so even if you configure a
zone explicitly, the validator will still go chatting to its parent zones
in search of its delegation. (The exception is authoritative zones, which
are not validated.)
so I need 9.11 ot turn validation off... great :-)
(np, it was off on other server, I just set up a new one)
Do people with private versions of domains have this problem too when
using DNSSEC?
Yes :-) I'm relatively lucky that my predecessors set up private.cam.ac.uk
rather than a shadow cam.ac.uk which made it easier for them to roll out
DNSSEC.
I have feeling that we need to reserve TLD for internal private domains
that would be guaranteed not to use DNSSEC at all.
There's no need for that (and that would involve a lot of tricky
politics).
other than reserving TLD, not signing it and recommending people to use its
subdomains?
Instead, either use a subdomain of an existing domain (like us)
or register a domain with an insecure delegation for internal use.
neither is possible for now. as I said, neither our customer not itsupstream
does maintain the domain.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
