Re: insecurity proof failed for a domain

2021-12-14 Thread Matus UHLAR - fantomas 

On 13.12.21 08:18, John Thurston wrote:
If you update your resolver to 9.16, I think you can do exactly what 
you want with the "validate-execpt" option.


{rolls eyes} been there. done that. for exactly the same reason :/


On 14.12.21 16:58, Matus UHLAR - fantomas wrote:

thanks, this helped.
I assume I need to put "local" into validate-except {}.
This should not be a problem since .local is reserved.

I guess .local should have negative trust anchor in root zone.


looks like I possibly could achieve the same with bind 9.11 by using

rndc nta local

to "temporarily" disable checking of "local" domain.

BIND would periodically re-check (and fail) and prolong the nta anchor
apparently forefer.

the "validate-except" is however cleaner solution.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: insecurity proof failed for a domain

2021-12-14 Thread Matus UHLAR - fantomas 

On 13.12.21 08:18, John Thurston wrote:
If you update your resolver to 9.16, I think you can do exactly what 
you want with the "validate-execpt" option.


{rolls eyes} been there. done that. for exactly the same reason :/


thanks, this helped.
I assume I need to put "local" into validate-except {}.
This should not be a problem since .local is reserved.

I guess .local should have negative trust anchor in root zone.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

re: insecurity proof failed for a domain

2021-12-13 Thread John Thurston 
If you update your resolver to 9.16, I think you can do exactly what you 
want with the "validate-execpt" option.


{rolls eyes} been there. done that. for exactly the same reason :/




--
--
Do things because you should, not just because you can.

John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

insecurity proof failed for a domain

2021-12-13 Thread Matus UHLAR - fantomas 

Hello,

I need to internaly forward domain to different nameserver:

zone "x.local" {
   type forward;
   forward only;
   forwarders {
   100.1.2.3;
   };
};

when I do this with bind 9.11 (debian 10), I get these messages:

Dec 13 14:26:55 mail named[13112]: validating x.local/A: got insecure 
response; parent indicates it should be secure
Dec 13 14:26:55 mail named[13112]: insecurity proof failed resolving 
'x.local/ANY/IN': 100.1.2.3#53
Dec 13 14:26:55 mail named[13112]: validating x.local/NS: got insecure 
response; parent indicates it should be secure
Dec 13 14:26:55 mail named[13112]: validating x.local/SOA: got insecure 
response; parent indicates it should be secure

looks like I could avoig this by disabling dnssec but is there any way to
disable this checking only for domain "local" or "x.local"?

I have tried to create empty "local" domain but then I only received empty
responses for any requests.

(I know .local is for mdns, but I can't do anything with that).

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users