Re: strange dnssec question
Thank you, I'll report back the result On Wed, Aug 18, 2021 at 10:49 AM Mark Andrews wrote: > > > On 18 Aug 2021, at 10:23, Edwardo Garcia wrote: > > > > Hola Mark, > > > > Thank you, so to be clear, what is mean to delegate zone, the black > zone? I am not dns expert unfortunately > > Yes, create a seperate zone for black.example.net. > > In example.net you add NS records for black.example.net. They can use the > same nameservers as for example.net. > > black.example.net. NS some.name.server. > black.example.net. NS some-other.name.server > > you will end up with 2 zone clauses. Apart from the obvious name > differences > you won’t add the instructions to sign black.example.net to its stanza. > > zone example.net { > type primary; > file “example.net.db”; > ... > }; > > zone black.example.net { > type primary; > file “black.example.net.db”; > ... > }; > > The top of black.example.net.db has an SOA record and the same NS records > as you put in the parent zone for it. The two sets of NS records are > supposed to be the same. > > Mark > > > On Wed, Aug 18, 2021 at 6:23 AM Mark Andrews wrote: > > Delegate the zone. Do NOT add a DS for it. > > > > -- > > Mark Andrews > > > >> On 17 Aug 2021, at 23:47, Edwardo Garcia wrote: > >> > >> > >> Hola > >> > >> We have dnssec working for long time but need now to have a subdomain > excluded, we are going to be use it to replace an internal blacklist, we > have 14 smtp servers and it is cumbersome to keep in sync. > >> > >> So we have example.net signed, > >> but we want black.example.net, and of course all addresses under, eg: > 4.3.2.1.black.example.net to work, at present of course this presents > SERVFAIL because dnssec, obvious "black" needs to be in example.net zone, > nd its dns is ns999 whichwork when dnssec disabled but this is not optimum > >> > >> looking for suggestion or guidance to how we fix this please? Ir this > is not possible? > >> > >> ___ > >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > >> > >> ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > >> > >> > >> bind-users mailing list > >> bind-users@lists.isc.org > >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: strange dnssec question
> On 18 Aug 2021, at 10:23, Edwardo Garcia wrote: > > Hola Mark, > > Thank you, so to be clear, what is mean to delegate zone, the black zone? I > am not dns expert unfortunately Yes, create a seperate zone for black.example.net. In example.net you add NS records for black.example.net. They can use the same nameservers as for example.net. black.example.net. NS some.name.server. black.example.net. NS some-other.name.server you will end up with 2 zone clauses. Apart from the obvious name differences you won’t add the instructions to sign black.example.net to its stanza. zone example.net { type primary; file “example.net.db”; ... }; zone black.example.net { type primary; file “black.example.net.db”; ... }; The top of black.example.net.db has an SOA record and the same NS records as you put in the parent zone for it. The two sets of NS records are supposed to be the same. Mark > On Wed, Aug 18, 2021 at 6:23 AM Mark Andrews wrote: > Delegate the zone. Do NOT add a DS for it. > > -- > Mark Andrews > >> On 17 Aug 2021, at 23:47, Edwardo Garcia wrote: >> >> >> Hola >> >> We have dnssec working for long time but need now to have a subdomain >> excluded, we are going to be use it to replace an internal blacklist, we >> have 14 smtp servers and it is cumbersome to keep in sync. >> >> So we have example.net signed, >> but we want black.example.net, and of course all addresses under, eg: >> 4.3.2.1.black.example.net to work, at present of course this presents >> SERVFAIL because dnssec, obvious "black" needs to be in example.net zone, nd >> its dns is ns999 whichwork when dnssec disabled but this is not optimum >> >> looking for suggestion or guidance to how we fix this please? Ir this is not >> possible? >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: strange dnssec question
Hola Mark, Thank you, so to be clear, what is mean to delegate zone, the black zone? I am not dns expert unfortunately On Wed, Aug 18, 2021 at 6:23 AM Mark Andrews wrote: > Delegate the zone. Do NOT add a DS for it. > > -- > Mark Andrews > > On 17 Aug 2021, at 23:47, Edwardo Garcia wrote: > > > Hola > > We have dnssec working for long time but need now to have a subdomain > excluded, we are going to be use it to replace an internal blacklist, we > have 14 smtp servers and it is cumbersome to keep in sync. > > So we have example.net signed, > but we want black.example.net, and of course all addresses under, eg: > 4.3.2.1.black.example.net to work, at present of course this presents > SERVFAIL because dnssec, obvious "black" needs to be in example.net zone, > nd its dns is ns999 whichwork when dnssec disabled but this is not optimum > > looking for suggestion or guidance to how we fix this please? Ir this is > not possible? > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: strange dnssec question
Delegate the zone. Do NOT add a DS for it. -- Mark Andrews > On 17 Aug 2021, at 23:47, Edwardo Garcia wrote: > > > Hola > > We have dnssec working for long time but need now to have a subdomain > excluded, we are going to be use it to replace an internal blacklist, we have > 14 smtp servers and it is cumbersome to keep in sync. > > So we have example.net signed, > but we want black.example.net, and of course all addresses under, eg: > 4.3.2.1.black.example.net to work, at present of course this presents > SERVFAIL because dnssec, obvious "black" needs to be in example.net zone, nd > its dns is ns999 whichwork when dnssec disabled but this is not optimum > > looking for suggestion or guidance to how we fix this please? Ir this is not > possible? > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
strange dnssec question
Hola We have dnssec working for long time but need now to have a subdomain excluded, we are going to be use it to replace an internal blacklist, we have 14 smtp servers and it is cumbersome to keep in sync. So we have example.net signed, but we want black.example.net, and of course all addresses under, eg: 4.3.2.1.black.example.net to work, at present of course this presents SERVFAIL because dnssec, obvious "black" needs to be in example.net zone, nd its dns is ns999 whichwork when dnssec disabled but this is not optimum looking for suggestion or guidance to how we fix this please? Ir this is not possible? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users