Authoritative and caching

Mark Andrews marka at isc.org
Wed Mar 12 22:49:17 UTC 2025 

I shouldn’t have tried to write that on the phone from memory.

dnssec-policy “unlimited” {
	keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};

zone "jungersen.dk” {
        type master;
        file "/etc/bind/zones/db.jungersen.dk”;
        allow-transfer { 192.168.20.11; };
        dnssec-policy "unlimited";
};

Mark

> On 13 Mar 2025, at 09:13, Danjel Jungersen <danjel at jungersen.dk> wrote:
> 
> On 20-02-2025 08:40, Mark Andrews wrote:
>>> The zone is available publicly, but from public serveres not hosted by me (one.com).
>>> And points to my external ip.
>>> My internal bind redirects local traffic directly to local servers on local ip's.
>> DNSSEC is designed to stop spoofed answers being accepted.  When you create a local zone that overrides what is in the public zones you are effectively spoofing answers.  As you have a DNSSEC signed public zone if you want to have these spoofed answers accepted you need to do one of the following:
>> 
>> 1) create a working chain of trust that links to your private zone content
>> Long 1 is the best long term solution....
> So this is the way I will try to go.
>> You currently have the following DS which means you are using ECDSAP256SHA256 (13) as the DNSSEC key algorithm.
>> 
>> jungersen.dk. 7200 IN DS 26658 13 2 23E45B495015A14C3F4FF57C0A36850C013B881BAAF1E32EE4C0C839 FF9CCA52
>> 
>> I would add “dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };” to your internal primary if you choose to do 1 or 3.  This will add a DNSKEY record to the zone and cause it to be signed.  You can then take the generated DNSKEY and install it as a trust anchor on the postfix boxes.
>> 
>> You will need to do some reading first. Others here can give you more advice.
>> 
> I have now read a lot, and I think that actually understood some of it.
> 
> I have:
> zone "jungersen.dk" {
>         type master;
>         file "/etc/bind/zones/db.jungersen.dk";
>         allow-transfer { 192.168.20.11; };
>         dnssec-policy { csk lifetime unlimited algorithm ECDSAP256SHA256; };
> };
> 
> in named.conf.local
> 
> I throws an error, /etc/bind/named.conf.local:15: expected string near '{'
> 
> Line 15 is the dnssec-policy line.
> 
> If I uncomment this line all is well.
> 
> Can anyone tell me what is wrong with this line?
> I have copy pasted it from the suggestion, and have read some online, to me it looks good.
> 
> ????
> 
> BR
> Danjel
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list