Hi, thanks for the reply. There really is not much I can tell you about my parent zone. For now, I made an exclusion with “validate-except” and everything seems to be working fine both internally and externally.
Not sure about your first suggestion, as the top domain is also served internally by Active Directory. The clients “think” it is the main domain server (except my networks which use my dns servers). “A bit better solution would be adding DS record to parent pt zone also for internal KSK key.” – I think this is the possibility they are studying. Unfortunately I don’t know that much about the parent setup. Anyway, thanks and regards! David From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Petr Menšík Sent: 21 April 2023 10:59 To: bind-users@lists.isc.org Subject: Re: DNSSEC and forward zone Would it make sense to create a subdomain for internal use, but have the main zone signed with external records only? Is it possible to make changes to names? Can you make for example in.ubi.pt just internal only, not accessible from outside? If you want to have your external zone signed with DNSSEC, then internal zone has to be signed with DNSSEC too. You can workaround different KSK keys by adding trust anchor to all your validating resolvers. A bit better solution would be adding DS record to parent pt zone also for internal KSK key. If you make internalsite2.ubi.pt unsigned zone, with own NS and SOA, then it can be not signed, when the main ubi.pt zone is. But the indication from the parent has to match. Both zones have to be signed or none. Internal zone would work too with trust-anchor explicitly added to your resolvers. Unless you want to ignore your own zone signatures, internal zone should be signed too. On 4/19/23 11:49, David Carvalho via bind-users wrote: Hi and thanks for the reply. Does it make sense to not validate my parent domain entirely? Wouldn’t that also stop exterior validation when I request it? Thanks! David From: Darren Ankney <mailto:darren.ank...@gmail.com> <darren.ank...@gmail.com> Sent: 19 April 2023 10:27 To: David Carvalho <mailto:da...@di.ubi.pt> <da...@di.ubi.pt> Cc: Bind Users Mailing List <mailto:bind-users@lists.isc.org> <bind-users@lists.isc.org> Subject: Re: DNSSEC and forward zone Hi David, You can disable validation on one or more domains using "validate-except" - https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except Thank you, Darren Ankney On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users <bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > wrote: Hello guys Asking for your help, again. So after setting up DNSSEC I’ve found I couldn’t reach some internal sites on my top domain, served by internal DNS servers There’s no need in hiding domains as my e-mail is shown here. Top domain ubi.pt <http://ubi.pt> (external DNS Servers authoritative) Internal DNS servers (windows, Active directory - Recursive) Internalsite1.ubi.pt <http://Internalsite1.ubi.pt> Internalsite2.ubi.pt <http://Internalsite2.ubi.pt> … di.ubi.pt <http://di.ubi.pt> (both authoritative and recursive for my networks) Previously I had the following to get internal sites resolved, but now it seems it is completely discarded by dnssec. zone "ubi.pt <http://ubi.pt> " IN { type forward; forwarders { 192.168.100.1; 192.168.100.2; }; } Is there any configuration to allow me to be able to access internal sites served by internal dns servers, I guess not using DNSSEC? Can this only be accomplished by adding these entries to my parent domain? Thanks! Kind regards David Carvalho -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users -- Petr Menšík Software Engineer, RHEL Red Hat, https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
