forwarding ".local" subdomains when "local" exist

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Sep 3 16:46:16 UTC 2024 

On 16.08.24 19:55, Tim Maestas wrote:
>You need to have the delegation in the parent in order for the forwarding
>to kick in. It can be bogus, but it has to be there. You'll find the same
>behavior when you're authoritative for the root zone; any type forwarded
>zones will need to also have NS in the root ( or closest enclosing
>authoritative zone).

Thanks, this worked.

I created ".local" zone (copied from db.empty) with dummy NS for 
"example.local" and forwarding works, just as ".local" is resolved locally.


>On Fri, Aug 16, 2024, 7:13 AM Matus UHLAR - fantomas <uhlar at fantomas.sk>
>wrote:
>> our customer has private .local zone "example.local"
>> (I know this should be used for multicast...)
>> so I have configured forwarding queries for this domain to his servers:
>>
>> zone "example.local" {
>>          type forward;
>>          forward only;
>>          forwarders {
>>                  192.168.0.1;
>>          };
>> };
>>
>> zone "168.192.in-addr.arpa" {
>>          type forward;
>>          forward only;
>>          forwarders {
>>                  192.168.0.1;
>>          };
>> };
>>
>> Since some queries for ".local" zone were leaking out of their network,
>> I have long ago locally configured empty zone "local":
>>
>> zone "local" {
>>         type master;
>>         file "/etc/bind/db.empty";
>> };
>>
>> Now, the resolution od "example.local" does not work, named returns
>> "nxdomain", doesn't forward the query.
>>
>> when I commented out the "local" zone, named started working,
>> I just needed to add
>>   validate-except { "local"; };
>> guess I understand why.
>>
>>
>>  From the history I remember that defining zone (example.local) with no
>> delegation in the parent zone (local) does not cause issues (locally).
>>
>> Is "type forward" special in this case?
>>
>> Debian 12, BIND 1:9.18.28-1~deb12u2

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them

More information about the bind-users mailing list