NXDomain reply after LAN IP response from forwarder for zone

Sat Sep 13 22:01:57 UTC 2025

Hello.
What version of BIND are you running?

By default, BIND will attempt to perform DNSSEC validation, which is
probably why you're seeing the DS query. See here for more information on
validation and DNSSEC in general:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#dnssec-validation-explained

You might want to leave validation enabled in general, but disable it for
domains that you know are not signed, like "my-home.net.lan". Take a look
at this configuration statement:
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except

I hope that helps.
Cheers, Greg

On Sat, 13 Sept 2025 at 19:08, Jarrod Spencer Farrell <jarrodmaddy at gmail.com>
wrote:

> That changes the response to ServFail, but probably appropriate on what
> I'm doing when reading into the option. (https://serverfault.com/a/1001622
> )
>
> And watching `tcpdump` with me asking via `dig` without the extra clutter
> I was getting from my phone, I am noticing I missed another query being
> made when previously there was a lot of noise from my phone.
>
> ```
> IP 10.0.10.3.38966 > 10.0.10.100.53: 32932+ [1au] A?
> firewall.my-home.net.lan. (62)
> IP 10.0.10.100.7337 > 10.0.10.101.53: 6902+% [1au] A?
> firewall.my-home.net.lan. (62)
> IP 10.0.10.101.53 > 10.0.10.100.7337: 6902* 1/0/1 A 10.96.48.1 (66)
> IP 10.0.10.100.53823 > 10.0.10.101.53: 57793+% [1au] DS?
> firewall.my-home.net.lan. (62)
> IP 10.0.10.101.53 > 10.0.10.100.53823: 57793* 0/0/1 (50)
> IP 10.0.10.100.53 > 10.0.10.3.38966: 32932 ServFail 0/0/1 (78)
> ```
>
> The VPS is asking for a DS answer. This seems to be a DNSSEC thing, and I
> don't think I need DNSSEC for this zone in particular.
>
> I did notice `dnssec-must-be-secure` got deprecated and removed, so I
> removed it from my configuration. (
> https://gitlab.isc.org/isc-projects/bind9/-/issues/4263) I saw it in
> passing when searching for options and felt relevant to add in the config.
> Removing it doesn't change what the VPS does.
>
> ```named.conf
> include "/etc/bind/rndc.key";
> controls {
>    inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
> };
>
> acl cachenetworks {  127.0.0.0/24;  ::1/128;  10.0.10.0/24;  };
> acl badnetworks {  };
>
> options {
>    listen-on {  any;  };
>    listen-on-v6 {  any;  };
>    allow-query-cache { cachenetworks; };
>    blackhole { badnetworks; };
>    forward first;
>    forwarders {  9.9.9.9;  149.112.112.112;  2620:fe::fe;  2620:fe::9;  };
>    directory "/run/named";
>    pid-file "/run/named/named.pid";
>
> };
>
> zone "my-home.net.lan" {
>    type forward;
>    forward only;
>    forwarders { 10.0.10.101; };
> };
> ```
>
> On 9/13/25 01:49, Mark Andrews wrote:
> > Use “forward only:” for your local zones.
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250913/6bb3c1d6/attachment-0001.htm>