Re: Exempt .local from dnssec validation on resolver?
One may also want to disable synth-from-dnssec to prevent this NSEC record synthesising a negative response. loans. 4070IN NSEClocker. NS DS RRSIG NSEC If named gets a query for a name in the covered range it will learn the NSEC record and will synthesise a negative response if there isn’t a cached positive entry between the looked up name and loans. The IETF decided to not make a delegation at .local to break the chain of trust. Mark > On 26 Jul 2019, at 7:10 am, Evan Hunt wrote: > > On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote: >> In 9.11, no. In 9.14, you can use "validate-except { local; };" > > (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation > on a given domain, but negative trust anchors expire after a while, so you > have to keep doing it over and over. You could sign the ".local" zone and > distribute a trust anchor for it to all of your internal resolvers. So, I > shouldn't have said "no". But the simple fire-and-forget method that you > seemed to be looking for was not introduced until 9.14.) > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exempt .local from dnssec validation on resolver?
On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote: > In 9.11, no. In 9.14, you can use "validate-except { local; };" (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation on a given domain, but negative trust anchors expire after a while, so you have to keep doing it over and over. You could sign the ".local" zone and distribute a trust anchor for it to all of your internal resolvers. So, I shouldn't have said "no". But the simple fire-and-forget method that you seemed to be looking for was not introduced until 9.14.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Exempt .local from dnssec validation on resolver?
On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote: > Is there any way to tell my resolver it shouldn't be validating > responses for foo.local? In 9.11, no. In 9.14, you can use "validate-except { local; };" -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Exempt .local from dnssec validation on resolver?
For historical reasons we have some forward-zones defined on our resolver (v9.11.9). For example: zone foo.local {type forward; forwarders { 10.1.2.3; }; zone bar.local {type forward; forwarders { 10.4.5.6; }; These are obviously invalid TLDs, and are defined on servers over which I have no influence or control. The difficulty is if my named.conf contains: dnssec-validation auto; then I'm unable to return records for things like a.foo.local, and my log contains info-messages of the sort: --- lame-servers: info: insecurity proof failed resolving 'foo.local/SOA/IN': 10.1.2.3#53 dnssec: info: validating foo.local/SOA: got insecure response; parent indicates it should be secure --- Is there any way to tell my resolver it shouldn't be validating responses for foo.local? Or must I assert authority over .local and delegate authority for 'foo' and 'bar' back to the servers which are already answering for them? -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users