Re: Exempt .local from dnssec validation on resolver?
One may also want to disable synth-from-dnssec to prevent this NSEC record
synthesising a negative response.
loans. 4070IN NSEClocker. NS DS RRSIG NSEC
If named gets a query for a name in the covered range it will learn the
NSEC record and will synthesise a negative response if there isn’t a cached
positive entry between the looked up name and loans. The IETF decided to
not make a delegation at .local to break the chain of trust.
Mark
> On 26 Jul 2019, at 7:10 am, Evan Hunt wrote:
>
> On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote:
>> In 9.11, no. In 9.14, you can use "validate-except { local; };"
>
> (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation
> on a given domain, but negative trust anchors expire after a while, so you
> have to keep doing it over and over. You could sign the ".local" zone and
> distribute a trust anchor for it to all of your internal resolvers. So, I
> shouldn't have said "no". But the simple fire-and-forget method that you
> seemed to be looking for was not introduced until 9.14.)
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Exempt .local from dnssec validation on resolver?
On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote:
> In 9.11, no. In 9.14, you can use "validate-except { local; };"
(Afterthought: In 9.11, you can also use "rndc nta" to suppress validation
on a given domain, but negative trust anchors expire after a while, so you
have to keep doing it over and over. You could sign the ".local" zone and
distribute a trust anchor for it to all of your internal resolvers. So, I
shouldn't have said "no". But the simple fire-and-forget method that you
seemed to be looking for was not introduced until 9.14.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Exempt .local from dnssec validation on resolver?
On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote:
> Is there any way to tell my resolver it shouldn't be validating
> responses for foo.local?
In 9.11, no. In 9.14, you can use "validate-except { local; };"
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Exempt .local from dnssec validation on resolver?
For historical reasons we have some forward-zones defined on our
resolver (v9.11.9). For example:
zone foo.local {type forward; forwarders { 10.1.2.3; };
zone bar.local {type forward; forwarders { 10.4.5.6; };
These are obviously invalid TLDs, and are defined on servers over which
I have no influence or control. The difficulty is if my named.conf contains:
dnssec-validation auto;
then I'm unable to return records for things like a.foo.local, and my
log contains info-messages of the sort:
---
lame-servers: info: insecurity proof failed resolving
'foo.local/SOA/IN': 10.1.2.3#53
dnssec: info: validating foo.local/SOA: got insecure response; parent
indicates it should be secure
---
Is there any way to tell my resolver it shouldn't be validating
responses for foo.local?
Or must I assert authority over .local and delegate authority for 'foo'
and 'bar' back to the servers which are already answering for them?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
