Authoritative and caching
Mark Andrews
marka at isc.org
Wed Feb 19 12:01:01 UTC 2025
You can install a negative trust anchor or sign the zone so that DNSSEC validation works. The zone exists in the public DNS. You can use the same key material or use different key material and publish multiple DS records for both the private and public DNSKEYs.
The later will allow DNSSEC validation to work with BYOD.
You can also sign your internal zone and add trust anchors for it without publishing DS records. This won’t work BYOD.
--
Mark Andrews
> On 19 Feb 2025, at 21:54, Danjel Jungersen <danjel at jungersen.dk> wrote:
>
> On 19-02-2025 11:44, Mark Andrews wrote:
>> The posix boxes are validating the responses and your zone is not properly delegated/signed so DNSSEC validation fails.
> Is there a way to overcome this?
> They are not delegated, since they are not public.
> - Or am I missing something?
> But explains why external queries works....
>>
>> What does the following return?
>>
>> dig +cd +dnssec mail.jungersen.dk
>
> I assume I should use the failing bind, so I ran:
> dig +cd +dnssec mail.jungersen.dk @127.0.0.1
>
> ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +cd +dnssec mail.jungersen.dk @127.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48939
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ; COOKIE: 52f0a7e82a12fe100100000067b5b70dfe529ce9754d3aa8 (good)
> ;; QUESTION SECTION:
> ;mail.jungersen.dk. IN A
>
> ;; ANSWER SECTION:
> mail.jungersen.dk. 372094 IN A 192.168.20.9
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> ;; WHEN: Wed Feb 19 11:48:45 CET 2025
> ;; MSG SIZE rcvd: 90
>
> BR
> Danjel
>
>
More information about the bind-users
mailing list