Hello guys
Asking for your help, again.
So after setting up DNSSEC I've found I couldn't reach some internal sites
on my top domain, served by internal DNS servers
There's no need in hiding domains as my e-mail is shown here.
Top domain
ubi.pt (external
Anyway, It is working using your suggestion. Apparently everything is also fine
from the outside.
But I’ll have to check Petr Špaček post and study more.
Thanks!
David
From: Darren Ankney
Sent: 19 April 2023 10:27
To: David Carvalho
Cc: Bind Users Mailing List
Subject: Re: DNSSEC
Hi David,
You can disable validation on one or more domains using "validate-except" -
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except
Thank you,
Darren Ankney
On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users <
bind-users@lists.isc.org>
Hi Håvard
Odd, it works for me. Try a literal copy/paste of the link below. Or go to
https://kb.isc.org and search for packages:
https://kb.isc.org/docs/isc-packages-for-bind-9
Cheers, Greg
On Wed, 19 Apr 2023 at 12:03, Havard Eidnes via bind-users <
bind-users@lists.isc.org> wrote:
> >>
You can disable it, but that's just workaround.
It would be better to fix it :-)
I would recommend checking logs on resolver which is failing to resolve
the domain. I guess you will find out a DNSSEC validation error would
tell us what's misconfigured.
My bet is that the internal domains are
>>and if I run straight "upstream" code, it's fairly straight-
>>forward to upgrade to this version, modulo, of course, the fact
>>that this involves building it from source.
>
> It may not be necessary to build from source. There are packages for
> some distros maintained by ISC
>
Hello and thanks.
For now I disabled dnssec for the zone, as there were sites that need to be
accessible.
I found
dnssec: info: validating internalsite2.ubi.pt/CNAME: got insecure response;
parent indicates it should be secure
I've been told Internal dns (windows) are not set to use dnssec,
Hi and thanks for the reply.
Does it make sense to not validate my parent domain entirely? Wouldn’t that
also stop exterior validation when I request it?
Thanks!
David
From: Darren Ankney
Sent: 19 April 2023 10:27
To: David Carvalho
Cc: Bind Users Mailing List
Subject: Re: DNSSEC
This confirms that NS record is missing. If there were NS record in
ubi.pt zone the validator would have detected that the AD zone is not
signed.
To fix that just add the NS record and it should start working again.
Petr Špaček
On 19. 04. 23 12:42, David Carvalho wrote:
Hello and thanks.
Hi,
I've just started using a catalog zone to tell my secondary servers
to pick up new zones. This is on Debian stable so package version
1:9.16.37-1~deb11u1.
I'd like to stop them from sending notifies when they transfer in a
zone. Neither "notify no;" nor "notify primary-only;" seems to do
it.
I'd like to stop them from sending notifies when they transfer in a
zone. Neither "notify no;" nor "notify primary-only;" seems to do
it.
Maybe set `notify no' (or `notify explit') globally in options{} and then
enable notify on a case-by-case on statically configured zones on the
secondary?
I'm in the process of migrating a modest number of zones from one signer
(OpenDNSSEC) to another (Knot-DNS). (The KSKs are identical so that should not
be an issue for this question.)
Each of the signers have a catalog (manually maintained for ODS, automatically
for Knot) which is transferred
Dear Greg,
That’s what I thought, of each individual zone must have NS record point to it.
But my point is not hiding NS record (or which server handles it) from internal
client but hiding which internal domain are we running from the external
malicious client.
Kind regards,
Jiaming Zhang
Any ideas?
is this the point at which I confess I've only now read about Change of
Ownership (coo) [1]?
-JP
[1] https://bind9.readthedocs.io/en/latest/chapter6.html#change-of-ownership-coo
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC
Hi Jiaming.
Here's what I would do. I am assuming one nameserver for the public zone
and one (different) nameserver for the internal zones. You would use more
in practice but I'm keeping it simple, for illustration.
The external NS is reachable from anywhere in the Internet. If you host it
in
15 matches
Mail list logo
