Would it make sense to create a subdomain for internal use, but have the
main zone signed with external records only? Is it possible to make
changes to names?
Can you make for example in.ubi.pt just internal only, not accessible
from outside?
If you want to have your external zone signed with DNSSEC, then internal
zone has to be signed with DNSSEC too. You can workaround different KSK
keys by adding trust anchor to all your validating resolvers. A bit
better solution would be adding DS record to parent pt zone also for
internal KSK key.
If you make internalsite2.ubi.pt unsigned zone, with own NS and SOA,
then it can be not signed, when the main ubi.pt zone is. But the
indication from the parent has to match. Both zones have to be signed or
none. Internal zone would work too with trust-anchor explicitly added to
your resolvers. Unless you want to ignore your own zone signatures,
internal zone should be signed too.
On 4/19/23 11:49, David Carvalho via bind-users wrote:
Hi and thanks for the reply.
Does it make sense to not validate my parent domain entirely? Wouldn’t
that also stop exterior validation when I request it?
Thanks!
David
*From:*Darren Ankney <darren.ank...@gmail.com>
*Sent:* 19 April 2023 10:27
*To:* David Carvalho <da...@di.ubi.pt>
*Cc:* Bind Users Mailing List <bind-users@lists.isc.org>
*Subject:* Re: DNSSEC and forward zone
Hi David,
You can disable validation on one or more domains using
"validate-except" -
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except
Thank you,
Darren Ankney
On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users
<bind-users@lists.isc.org> wrote:
Hello guys
Asking for your help, again.
So after setting up DNSSEC I’ve found I couldn’t reach some
internal sites on my top domain, served by internal DNS servers
There’s no need in hiding domains as my e-mail is shown here.
Top domain
ubi.pt <http://ubi.pt> (external DNS Servers authoritative)
Internal DNS servers (windows, Active directory - Recursive)
Internalsite1.ubi.pt <http://Internalsite1.ubi.pt>
Internalsite2.ubi.pt <http://Internalsite2.ubi.pt>
…
di.ubi.pt <http://di.ubi.pt>
(both authoritative and recursive for my networks)
Previously I had the following to get internal sites resolved, but
now it seems it is completely discarded by dnssec.
zone "ubi.pt <http://ubi.pt>" IN {
type forward;
forwarders { 192.168.100.1; 192.168.100.2; };
}
Is there any configuration to allow me to be able to access
internal sites served by internal dns servers, I guess not using
DNSSEC?
Can this only be accomplished by adding these entries to my parent
domain?
Thanks!
Kind regards
David Carvalho
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users