Exempt .local from dnssec validation on resolver?
Mark Andrews
marka at isc.org
Fri Jul 26 11:45:53 UTC 2019
One may also want to disable synth-from-dnssec to prevent this NSEC record
synthesising a negative response.
loans. 4070 IN NSEC locker. NS DS RRSIG NSEC
If named gets a query for a name in the covered range it will learn the
NSEC record and will synthesise a negative response if there isn’t a cached
positive entry between the looked up name and loans. The IETF decided to
not make a delegation at .local to break the chain of trust.
Mark
> On 26 Jul 2019, at 7:10 am, Evan Hunt <each at isc.org> wrote:
>
> On Thu, Jul 25, 2019 at 09:03:26PM +0000, Evan Hunt wrote:
>> In 9.11, no. In 9.14, you can use "validate-except { local; };"
>
> (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation
> on a given domain, but negative trust anchors expire after a while, so you
> have to keep doing it over and over. You could sign the ".local" zone and
> distribute a trust anchor for it to all of your internal resolvers. So, I
> shouldn't have said "no". But the simple fire-and-forget method that you
> seemed to be looking for was not introduced until 9.14.)
>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list