Re: insecurity proof failed for a domain
On 13.12.21 08:18, John Thurston wrote: If you update your resolver to 9.16, I think you can do exactly what you want with the "validate-execpt" option. {rolls eyes} been there. done that. for exactly the same reason :/ On 14.12.21 16:58, Matus UHLAR - fantomas wrote: thanks, this helped. I assume I need to put "local" into validate-except {}. This should not be a problem since .local is reserved. I guess .local should have negative trust anchor in root zone. looks like I possibly could achieve the same with bind 9.11 by using rndc nta local to "temporarily" disable checking of "local" domain. BIND would periodically re-check (and fail) and prolong the nta anchor apparently forefer. the "validate-except" is however cleaner solution. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: insecurity proof failed for a domain
On 13.12.21 08:18, John Thurston wrote: If you update your resolver to 9.16, I think you can do exactly what you want with the "validate-execpt" option. {rolls eyes} been there. done that. for exactly the same reason :/ thanks, this helped. I assume I need to put "local" into validate-except {}. This should not be a problem since .local is reserved. I guess .local should have negative trust anchor in root zone. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
re: insecurity proof failed for a domain
If you update your resolver to 9.16, I think you can do exactly what you want with the "validate-execpt" option. {rolls eyes} been there. done that. for exactly the same reason :/ -- -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
insecurity proof failed for a domain
Hello, I need to internaly forward domain to different nameserver: zone "x.local" { type forward; forward only; forwarders { 100.1.2.3; }; }; when I do this with bind 9.11 (debian 10), I get these messages: Dec 13 14:26:55 mail named[13112]: validating x.local/A: got insecure response; parent indicates it should be secure Dec 13 14:26:55 mail named[13112]: insecurity proof failed resolving 'x.local/ANY/IN': 100.1.2.3#53 Dec 13 14:26:55 mail named[13112]: validating x.local/NS: got insecure response; parent indicates it should be secure Dec 13 14:26:55 mail named[13112]: validating x.local/SOA: got insecure response; parent indicates it should be secure looks like I could avoig this by disabling dnssec but is there any way to disable this checking only for domain "local" or "x.local"? I have tried to create empty "local" domain but then I only received empty responses for any requests. (I know .local is for mdns, but I can't do anything with that). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users