private tld

Maria bind-lists at
Wed Aug 21 21:10:11 UTC 2013

Thank you for all of the responses, I really appreciate it. Clearly the
best approach is to sign the internal tld, but at the moment I can't do that
because I would need new internal servers, ours don't support dnssec.

I configured it as a slave and it's working. Thanks!


On Tue, Aug 20, 2013 at 08:17:03PM -0500, Timothy Morizot wrote:
> DNSSEC sign the private TLD and configure its KSK as a trust anchor on the
> recursive resolvers.
> Alternatively, you can configure all your recursive resolvers as slaves for
> the private zone. Authoritative responses aren't validated on a mixed
> authoritative/recursive nameserver.
> Those are the only two options that immediately spring to my mind.
> Scott
> On Aug 20, 2013 5:16 PM, "Maria" <bind-lists at> wrote:
> > My company uses a private tld. We are working on fixing that but the fix
> > is going to take a while, especially if our solution ends up being trying
> > to register it with icann.
> >
> > Our resolvers that all internet queries go through have a forward zone
> > statement for that tld to some internal name servers. Unfortunately, when I
> > turn on dnssec validation our resolvers go check out the root zone, see our
> > private zone doesn't exist, and refuse to resolve records in the zone. Is
> > there a solution I can put in place so we can do dnssec validation in the
> > meantime while we work on ceasing to use the private tld?
> >
> > Thanks,
> > Maria
> >

More information about the bind-users mailing list