> On 18 Aug 2021, at 10:23, Edwardo Garcia <wdgar...@gmail.com> wrote:
>
> Hola Mark,
>
> Thank you, so to be clear, what is mean to delegate zone, the black zone? I
> am not dns expert unfortunately
Yes, create a seperate zone for black.example.net.
In example.net you add NS records for black.example.net. They can use the
same nameservers as for example.net.
black.example.net. NS some.name.server.
black.example.net. NS some-other.name.server
you will end up with 2 zone clauses. Apart from the obvious name differences
you won’t add the instructions to sign black.example.net to its stanza.
zone example.net {
type primary;
file “example.net.db”;
...
};
zone black.example.net {
type primary;
file “black.example.net.db”;
...
};
The top of black.example.net.db has an SOA record and the same NS records
as you put in the parent zone for it. The two sets of NS records are
supposed to be the same.
Mark
> On Wed, Aug 18, 2021 at 6:23 AM Mark Andrews <ma...@isc.org> wrote:
> Delegate the zone. Do NOT add a DS for it.
>
> --
> Mark Andrews
>
>> On 17 Aug 2021, at 23:47, Edwardo Garcia <wdgar...@gmail.com> wrote:
>>
>>
>> Hola
>>
>> We have dnssec working for long time but need now to have a subdomain
>> excluded, we are going to be use it to replace an internal blacklist, we
>> have 14 smtp servers and it is cumbersome to keep in sync.
>>
>> So we have example.net signed,
>> but we want black.example.net, and of course all addresses under, eg:
>> 4.3.2.1.black.example.net to work, at present of course this presents
>> SERVFAIL because dnssec, obvious "black" needs to be in example.net zone, nd
>> its dns is ns999 whichwork when dnssec disabled but this is not optimum
>>
>> looking for suggestion or guidance to how we fix this please? Ir this is not
>> possible?
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions.
>> Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
