subject:"DNSSEC and forward zone"

RE: DNSSEC and forward zone

2023-04-21 Thread David Carvalho via bind-users

Hi, thanks for the reply.

There really is not much I can tell you about my parent zone. For now, I made 
an exclusion with “validate-except” and everything seems to be working fine 
both internally and externally.

Not sure about your first suggestion, as the top domain is also served 
internally by Active Directory. The clients “think” it is the main domain 
server (except my networks which use my dns servers).

 

“A bit better solution would be adding DS record to parent pt zone also for 
internal KSK key.” – I think this is the possibility they are studying. 
Unfortunately I don’t know that much about the parent setup.

Anyway, thanks and regards!

David

 

 

From: bind-users  On Behalf Of Petr Menšík
Sent: 21 April 2023 10:59
To: bind-users@lists.isc.org
Subject: Re: DNSSEC and forward zone

 

Would it make sense to create a subdomain for internal use, but have the main 
zone signed with external records only? Is it possible to make changes to names?

Can you make for example in.ubi.pt just internal only, not accessible from 
outside?

If you want to have your external zone signed with DNSSEC, then internal zone 
has to be signed with DNSSEC too. You can workaround different KSK keys by 
adding trust anchor to all your validating resolvers. A bit better solution 
would be adding DS record to parent pt zone also for internal KSK key.

If you make internalsite2.ubi.pt unsigned zone, with own NS and SOA, then it 
can be not signed, when the main ubi.pt zone is. But the indication from the 
parent has to match. Both zones have to be signed or none. Internal zone would 
work too with trust-anchor explicitly added to your resolvers. Unless you want 
to ignore your own zone signatures, internal zone should be signed too.

On 4/19/23 11:49, David Carvalho via bind-users wrote:

 

Hi and thanks for the reply.

Does it make sense to not validate my parent domain entirely? Wouldn’t that 
also stop exterior validation when I request it?

Thanks!

David

 

From: Darren Ankney  <mailto:darren.ank...@gmail.com>  
Sent: 19 April 2023 10:27
To: David Carvalho  <mailto:da...@di.ubi.pt> 
Cc: Bind Users Mailing List  <mailto:bind-users@lists.isc.org> 

Subject: Re: DNSSEC and forward zone

 

Hi David,

 

You can disable validation on one or more domains using "validate-except" - 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except

 

Thank you,

 

Darren Ankney

 

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users 
mailto:bind-users@lists.isc.org> > wrote:

Hello guys

Asking for your help, again.

 

So after setting up DNSSEC I’ve found I couldn’t reach some internal sites on 
my top domain, served by internal DNS servers

There’s no need in hiding domains as my e-mail is shown here.

 

Top domain





 

 




ubi.pt <http://ubi.pt>  (external DNS Servers authoritative)

 

  Internal DNS servers (windows, Active directory - Recursive)

Internalsite1.ubi.pt <http://Internalsite1.ubi.pt> 

   Internalsite2.ubi.pt <http://Internalsite2.ubi.pt> 

…

 

 

di.ubi.pt <http://di.ubi.pt>  

(both authoritative and recursive for my networks)

 

Previously I had the following to get internal sites resolved, but now it seems 
it is completely discarded by dnssec.

 

zone "ubi.pt <http://ubi.pt> " IN {

type forward;

forwarders { 192.168.100.1; 192.168.100.2; };

}

 

Is there any configuration to allow me  to be able to access internal sites 
served by internal dns servers, I guess not using DNSSEC?

Can this only be accomplished by adding these entries to my parent domain?

Thanks!

 

Kind regards

David Carvalho

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> 
https://lists.isc.org/mailman/listinfo/bind-users





-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and forward zone

2023-04-21 Thread Petr Menšík

Would it make sense to create a subdomain for internal use, but have the 
main zone signed with external records only? Is it possible to make 
changes to names?


Can you make for example in.ubi.pt just internal only, not accessible 
from outside?


If you want to have your external zone signed with DNSSEC, then internal 
zone has to be signed with DNSSEC too. You can workaround different KSK 
keys by adding trust anchor to all your validating resolvers. A bit 
better solution would be adding DS record to parent pt zone also for 
internal KSK key.


If you make internalsite2.ubi.pt unsigned zone, with own NS and SOA, 
then it can be not signed, when the main ubi.pt zone is. But the 
indication from the parent has to match. Both zones have to be signed or 
none. Internal zone would work too with trust-anchor explicitly added to 
your resolvers. Unless you want to ignore your own zone signatures, 
internal zone should be signed too.


On 4/19/23 11:49, David Carvalho via bind-users wrote:


Hi and thanks for the reply.

Does it make sense to not validate my parent domain entirely? Wouldn’t 
that also stop exterior validation when I request it?


Thanks!

David

*From:*Darren Ankney 
*Sent:* 19 April 2023 10:27
*To:* David Carvalho 
*Cc:* Bind Users Mailing List 
*Subject:* Re: DNSSEC and forward zone

Hi David,

You can disable validation on one or more domains using 
"validate-except" - 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except


Thank you,

Darren Ankney

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users 
 wrote:


Hello guys

Asking for your help, again.

So after setting up DNSSEC I’ve found I couldn’t reach some
internal sites on my top domain, served by internal DNS servers

There’s no need in hiding domains as my e-mail is shown here.

Top domain






ubi.pt <http://ubi.pt> (external DNS Servers authoritative)

Internal DNS servers (windows, Active directory - Recursive)

Internalsite1.ubi.pt <http://Internalsite1.ubi.pt>

Internalsite2.ubi.pt <http://Internalsite2.ubi.pt>

    …

di.ubi.pt <http://di.ubi.pt>

(both authoritative and recursive for my networks)

Previously I had the following to get internal sites resolved, but
now it seems it is completely discarded by dnssec.

zone "ubi.pt <http://ubi.pt>" IN {

type forward;

forwarders { 192.168.100.1; 192.168.100.2; };

}

Is there any configuration to allow me  to be able to access
internal sites served by internal dns servers, I guess not using
DNSSEC?

Can this only be accomplished by adding these entries to my parent
domain?

Thanks!

Kind regards

David Carvalho

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to

unsubscribe from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and forward zone

2023-04-19 Thread Petr Špaček

This confirms that NS record is missing. If there were NS record in 
ubi.pt zone the validator would have detected that the AD zone is not 
signed.


To fix that just add the NS record and it should start working again.

Petr Špaček

On 19. 04. 23 12:42, David Carvalho wrote:

Hello and thanks.
For now I disabled dnssec for the zone, as there were sites that need to be 
accessible.

I found
dnssec: info: validating internalsite2.ubi.pt/CNAME: got insecure response; 
parent indicates it should be secure

I've been told Internal dns (windows) are not set to use dnssec, and even if 
they were, the key would be different than that on the outside servers, which 
is the same domain.

Not optimistic
Regards
David



-Original Message-
From: bind-users  On Behalf Of Petr Špacek
Sent: 19 April 2023 10:35
To: bind-users@lists.isc.org
Subject: Re: DNSSEC and forward zone

You can disable it, but that's just workaround.
It would be better to fix it :-)

I would recommend checking logs on resolver which is failing to resolve the 
domain. I guess you will find out a DNSSEC validation error would tell us 
what's misconfigured.

My bet is that the internal domains are missing delegation from the parent 
domain, which was incorrect even before and worked just accidentally.

E.g the ubi.pt zone file needs NS records which point to subdomains 
Internalsite1.ubi.pt and di.ubi.pt etc.

If you do not want these domains to resolve from outside, just configure ACL on 
the authoritative servers to not respond to queries from outside of your 
network.

I hope it helps.
Petr Špaček



On 19. 04. 23 11:27, Darren Ankney wrote:

Hi David,

You can disable validation on one or more domains using
"validate-except" -
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statem
ent-validate-except
<https://bind9.readthedocs.io/en/latest/reference.html#namedconf-state
ment-validate-except>

Thank you,

Darren Ankney

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users
mailto:bind-users@lists.isc.org>> wrote:

 Hello guys

 Asking for your help, again.

 __ __

 So after setting up DNSSEC I’ve found I couldn’t reach some internal
 sites on my top domain, served by internal DNS servers

 There’s no need in hiding domains as my e-mail is shown here.

 __ __

 Top domain

 __



  __

 __ __


 ubi.pt <http://ubi.pt> (external DNS Servers authoritative)

 __ __

Internal DNS servers (windows, Active directory -
 Recursive)

 Internalsite1.ubi.pt <http://Internalsite1.ubi.pt>

 Internalsite2.ubi.pt <http://Internalsite2.ubi.pt>

 …

 __ __

 __ __

 di.ubi.pt <http://di.ubi.pt> 

 (both authoritative and recursive for my networks)

 __ __

 Previously I had the following to get internal sites resolved, but
 now it seems it is completely discarded by dnssec.

 __ __

 zone "ubi.pt <http://ubi.pt>" IN {

  type forward;

  forwarders { 192.168.100.1; 192.168.100.2; };

 }

 __ __

 Is there any configuration to allow me  to be able to access
 internal sites served by internal dns servers, I guess not using
 DNSSEC?

 Can this only be accomplished by adding these entries to my parent
 domain?

 Thanks!

--
Petr Špaček

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNSSEC and forward zone

2023-04-19 Thread David Carvalho via bind-users

Hello and thanks.
For now I disabled dnssec for the zone, as there were sites that need to be 
accessible.

I found
dnssec: info: validating internalsite2.ubi.pt/CNAME: got insecure response; 
parent indicates it should be secure

I've been told Internal dns (windows) are not set to use dnssec, and even if 
they were, the key would be different than that on the outside servers, which 
is the same domain.

Not optimistic
Regards
David

-Original Message-
From: bind-users  On Behalf Of Petr Špacek
Sent: 19 April 2023 10:35
To: bind-users@lists.isc.org
Subject: Re: DNSSEC and forward zone

You can disable it, but that's just workaround.
It would be better to fix it :-)

I would recommend checking logs on resolver which is failing to resolve the 
domain. I guess you will find out a DNSSEC validation error would tell us 
what's misconfigured.

My bet is that the internal domains are missing delegation from the parent 
domain, which was incorrect even before and worked just accidentally.

E.g the ubi.pt zone file needs NS records which point to subdomains 
Internalsite1.ubi.pt and di.ubi.pt etc.

If you do not want these domains to resolve from outside, just configure ACL on 
the authoritative servers to not respond to queries from outside of your 
network.

I hope it helps.
Petr Špaček

On 19. 04. 23 11:27, Darren Ankney wrote:
> Hi David,
> 
> You can disable validation on one or more domains using 
> "validate-except" - 
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statem
> ent-validate-except 
> <https://bind9.readthedocs.io/en/latest/reference.html#namedconf-state
> ment-validate-except>
> 
> Thank you,
> 
> Darren Ankney
> 
> On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users 
> mailto:bind-users@lists.isc.org>> wrote:
> 
> Hello guys
> 
> Asking for your help, again.
> 
> __ __
> 
> So after setting up DNSSEC I’ve found I couldn’t reach some internal
> sites on my top domain, served by internal DNS servers
> 
> There’s no need in hiding domains as my e-mail is shown here.
> 
> __ __
> 
> Top domain
> 
> __
> 
>   
> 
>  __
> 
> __ __
> 
> 
> ubi.pt <http://ubi.pt> (external DNS Servers authoritative)
> 
> __ __
> 
>Internal DNS servers (windows, Active directory -
> Recursive)
> 
> Internalsite1.ubi.pt <http://Internalsite1.ubi.pt>
> 
> Internalsite2.ubi.pt <http://Internalsite2.ubi.pt>
> 
> …
> 
> __ __
> 
> __ __
> 
> di.ubi.pt <http://di.ubi.pt> 
> 
> (both authoritative and recursive for my networks)
> 
> __ __
> 
> Previously I had the following to get internal sites resolved, but
> now it seems it is completely discarded by dnssec.
> 
> __ __
> 
> zone "ubi.pt <http://ubi.pt>" IN {
> 
>  type forward;
> 
>  forwarders { 192.168.100.1; 192.168.100.2; };
> 
> }
> 
> __ __
> 
> Is there any configuration to allow me  to be able to access
> internal sites served by internal dns servers, I guess not using
> DNSSEC?
> 
> Can this only be accomplished by adding these entries to my parent
> domain?
> 
> Thanks!
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNSSEC and forward zone

2023-04-19 Thread David Carvalho via bind-users

Anyway, It is working using your suggestion. Apparently everything is also fine 
 from the outside.

But I’ll have to check Petr Špaček post and study more.

Thanks!

David

 

 

From: Darren Ankney  
Sent: 19 April 2023 10:27
To: David Carvalho 
Cc: Bind Users Mailing List 
Subject: Re: DNSSEC and forward zone

 

Hi David,

 

You can disable validation on one or more domains using "validate-except" - 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except

 

Thank you,

 

Darren Ankney

 

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users 
mailto:bind-users@lists.isc.org> > wrote:

Hello guys

Asking for your help, again.

 

So after setting up DNSSEC I’ve found I couldn’t reach some internal sites on 
my top domain, served by internal DNS servers

There’s no need in hiding domains as my e-mail is shown here.

 

Top domain





 

 




ubi.pt <http://ubi.pt>  (external DNS Servers authoritative)

 

  Internal DNS servers (windows, Active directory - Recursive)

 <http://Internalsite1.ubi.pt> Internalsite1.ubi.pt

<http://Internalsite2.ubi.pt> Internalsite2.ubi.pt

…

 

 

di.ubi.pt <http://di.ubi.pt>  

(both authoritative and recursive for my networks)

 

Previously I had the following to get internal sites resolved, but now it seems 
it is completely discarded by dnssec.

 

zone "ubi.pt <http://ubi.pt> " IN {

type forward;

forwarders { 192.168.100.1; 192.168.100.2; };

}

 

Is there any configuration to allow me  to be able to access internal sites 
served by internal dns servers, I guess not using DNSSEC?

Can this only be accomplished by adding these entries to my parent domain?

Thanks!

 

Kind regards

David Carvalho

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> 
https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNSSEC and forward zone

2023-04-19 Thread David Carvalho via bind-users

 

Hi and thanks for the reply.

Does it make sense to not validate my parent domain entirely? Wouldn’t that 
also stop exterior validation when I request it?

Thanks!

David

 

From: Darren Ankney  
Sent: 19 April 2023 10:27
To: David Carvalho 
Cc: Bind Users Mailing List 
Subject: Re: DNSSEC and forward zone

 

Hi David,

 

You can disable validation on one or more domains using "validate-except" - 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except

 

Thank you,

 

Darren Ankney

 

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users 
mailto:bind-users@lists.isc.org> > wrote:

Hello guys

Asking for your help, again.

 

So after setting up DNSSEC I’ve found I couldn’t reach some internal sites on 
my top domain, served by internal DNS servers

There’s no need in hiding domains as my e-mail is shown here.

 

Top domain





 

 




ubi.pt <http://ubi.pt>  (external DNS Servers authoritative)

 

  Internal DNS servers (windows, Active directory - Recursive)

Internalsite1.ubi.pt <http://Internalsite1.ubi.pt> 

   Internalsite2.ubi.pt <http://Internalsite2.ubi.pt> 

…

 

 

di.ubi.pt <http://di.ubi.pt>  

(both authoritative and recursive for my networks)

 

Previously I had the following to get internal sites resolved, but now it seems 
it is completely discarded by dnssec.

 

zone "ubi.pt <http://ubi.pt> " IN {

type forward;

forwarders { 192.168.100.1; 192.168.100.2; };

}

 

Is there any configuration to allow me  to be able to access internal sites 
served by internal dns servers, I guess not using DNSSEC?

Can this only be accomplished by adding these entries to my parent domain?

Thanks!

 

Kind regards

David Carvalho

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> 
https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and forward zone

2023-04-19 Thread Petr Špaček


You can disable it, but that's just workaround.
It would be better to fix it :-)

I would recommend checking logs on resolver which is failing to resolve 
the domain. I guess you will find out a DNSSEC validation error would 
tell us what's misconfigured.


My bet is that the internal domains are missing delegation from the 
parent domain, which was incorrect even before and worked just accidentally.


E.g the ubi.pt zone file needs NS records which point to subdomains 
Internalsite1.ubi.pt and di.ubi.pt etc.


If you do not want these domains to resolve from outside, just configure 
ACL on the authoritative servers to not respond to queries from outside 
of your network.


I hope it helps.
Petr Špaček



On 19. 04. 23 11:27, Darren Ankney wrote:

Hi David,

You can disable validation on one or more domains using 
"validate-except" - 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except 


Thank you,

Darren Ankney

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users 
mailto:bind-users@lists.isc.org>> wrote:


Hello guys

Asking for your help, again.

__ __

So after setting up DNSSEC I’ve found I couldn’t reach some internal
sites on my top domain, served by internal DNS servers

There’s no need in hiding domains as my e-mail is shown here.

__ __

Top domain

__



 __

__ __


ubi.pt  (external DNS Servers authoritative)

__ __

   Internal DNS servers (windows, Active directory -
Recursive)

Internalsite1.ubi.pt 

Internalsite2.ubi.pt 

    …

__ __

__ __

di.ubi.pt  

(both authoritative and recursive for my networks)

__ __

Previously I had the following to get internal sites resolved, but
now it seems it is completely discarded by dnssec.

__ __

zone "ubi.pt " IN {

     type forward;

     forwarders { 192.168.100.1; 192.168.100.2; };

}

__ __

Is there any configuration to allow me  to be able to access
internal sites served by internal dns servers, I guess not using
DNSSEC?

Can this only be accomplished by adding these entries to my parent
domain?

Thanks!

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and forward zone

2023-04-19 Thread Darren Ankney

Hi David,

You can disable validation on one or more domains using "validate-except" -
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except

Thank you,

Darren Ankney

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users <
bind-users@lists.isc.org> wrote:

> Hello guys
>
> Asking for your help, again.
>
>
>
> So after setting up DNSSEC I’ve found I couldn’t reach some internal sites
> on my top domain, served by internal DNS servers
>
> There’s no need in hiding domains as my e-mail is shown here.
>
>
>
> Top domain
>
>
>
>
>
> ubi.pt (external DNS Servers authoritative)
>
>
>
>   Internal DNS servers (windows, Active directory - Recursive)
>
> Internalsite1.ubi.pt
>
>Internalsite2.ubi.pt
>
> …
>
>
>
>
>
> di.ubi.pt
>
> (both authoritative and recursive for my networks)
>
>
>
> Previously I had the following to get internal sites resolved, but now it
> seems it is completely discarded by dnssec.
>
>
>
> zone "ubi.pt" IN {
>
> type forward;
>
> forwarders { 192.168.100.1; 192.168.100.2; };
>
> }
>
>
>
> Is there any configuration to allow me  to be able to access internal
> sites served by internal dns servers, I guess not using DNSSEC?
>
> Can this only be accomplished by adding these entries to my parent domain?
>
> Thanks!
>
>
>
> Kind regards
>
> David Carvalho
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and forward zone

2023-04-19 Thread David Carvalho via bind-users

Hello guys

Asking for your help, again.

 

So after setting up DNSSEC I've found I couldn't reach some internal sites
on my top domain, served by internal DNS servers

There's no need in hiding domains as my e-mail is shown here.

 

Top domain




 

 


ubi.pt (external DNS Servers authoritative)

 

  Internal DNS servers (windows, Active directory - Recursive)

Internalsite1.ubi.pt

   Internalsite2.ubi.pt

.

 

 

di.ubi.pt 

(both authoritative and recursive for my networks)

 

Previously I had the following to get internal sites resolved, but now it
seems it is completely discarded by dnssec.

 

zone "ubi.pt" IN {

type forward;

forwarders { 192.168.100.1; 192.168.100.2; };

}

 

Is there any configuration to allow me  to be able to access internal sites
served by internal dns servers, I guess not using DNSSEC?

Can this only be accomplished by adding these entries to my parent domain?

Thanks!

 

Kind regards

David Carvalho

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNSSEC and forward zone

Re: DNSSEC and forward zone

Re: DNSSEC and forward zone

RE: DNSSEC and forward zone

RE: DNSSEC and forward zone

RE: DNSSEC and forward zone

Re: DNSSEC and forward zone

Re: DNSSEC and forward zone

DNSSEC and forward zone

9 matches

Site Navigation

Mail list logo

Footer information