<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Hi, thanks for the reply.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>There really is not much I can tell you about my parent zone. For now, I made an exclusion with “validate-except” and everything seems to be working fine both internally and externally.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Not sure about your first suggestion, as the top domain is also served internally by Active Directory. The clients “think” it is the main domain server (except my networks which use my dns servers).<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>“</span>A bit better solution would be adding DS record to parent pt zone also for internal KSK key.” – I think this is the possibility they are studying. Unfortunately I don’t know that much about the parent setup.<o:p></o:p></p><p class=MsoNormal>Anyway, t<span style='mso-fareast-language:EN-US'>hanks and regards!<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>David<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> bind-users <bind-users-bounces@lists.isc.org> <b>On Behalf Of </b>Petr Menšík<br><b>Sent:</b> 21 April 2023 10:59<br><b>To:</b> bind-users@lists.isc.org<br><b>Subject:</b> Re: DNSSEC and forward zone<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p>Would it make sense to create a subdomain for internal use, but have the main zone signed with external records only? Is it possible to make changes to names?<o:p></o:p></p><p>Can you make for example in.ubi.pt just internal only, not accessible from outside?<o:p></o:p></p><p>If you want to have your external zone signed with DNSSEC, then internal zone has to be signed with DNSSEC too. You can workaround different KSK keys by adding trust anchor to all your validating resolvers. A bit better solution would be adding DS record to parent pt zone also for internal KSK key.<o:p></o:p></p><p>If you make internalsite2.ubi.pt unsigned zone, with own NS and SOA, then it can be not signed, when the main ubi.pt zone is. But the indication from the parent has to match. Both zones have to be signed or none. Internal zone would work too with trust-anchor explicitly added to your resolvers. Unless you want to ignore your own zone signatures, internal zone should be signed too.<o:p></o:p></p><div><p class=MsoNormal>On 4/19/23 11:49, David Carvalho via bind-users wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=PT style='mso-fareast-language:EN-US'> </span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Hi and thanks for the reply.</span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Does it make sense to not validate my parent domain entirely? Wouldn’t that also stop exterior validation when I request it?</span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Thanks!</span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>David</span><o:p></o:p></p><p class=MsoNormal><span lang=PT style='mso-fareast-language:EN-US'> </span><o:p></o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Darren Ankney <a href="mailto:darren.ankney@gmail.com"><darren.ankney@gmail.com></a> <br><b>Sent:</b> 19 April 2023 10:27<br><b>To:</b> David Carvalho <a href="mailto:david@di.ubi.pt"><david@di.ubi.pt></a><br><b>Cc:</b> Bind Users Mailing List <a href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a><br><b>Subject:</b> Re: DNSSEC and forward zone</span><o:p></o:p></p></div><p class=MsoNormal> <o:p></o:p></p><div><p class=MsoNormal>Hi David,<o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>You can disable validation on one or more domains using "validate-except" - <a href="https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except">https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except</a><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Thank you,<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Darren Ankney<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><div><div><p class=MsoNormal>On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hello guys<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Asking for your help, again.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>So after setting up DNSSEC I’ve found I couldn’t reach some internal sites on my top domain, served by internal DNS servers<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>There’s no need in hiding domains as my e-mail is shown here.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Top domain<o:p></o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 align=left><tr style='height:3.0pt'><td width=3 style='width:2.25pt;padding:0cm 0cm 0cm 0cm;height:3.0pt'></td></tr><tr><td style='padding:0cm 0cm 0cm 0cm'></td><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal style='mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly'><img border=0 width=25 height=33 style='width:.2604in;height:.3437in' id="Picture_x0020_1" src="cid:image001.png@01D9744A.8B1AEDA0"><o:p></o:p></p></td></tr></table><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal><br clear=all><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="http://ubi.pt" target="_blank">ubi.pt</a> (external DNS Servers authoritative)<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> Internal DNS servers (windows, Active directory - Recursive)<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:36.0pt'><span lang=PT> <a href="http://Internalsite1.ubi.pt" target="_blank">Internalsite1.ubi.pt</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><img border=0 width=25 height=33 style='width:.2604in;height:.3437in' id="Picture_x0020_2" src="cid:image001.png@01D9744A.8B1AEDA0"><span lang=PT> <a href="http://Internalsite2.ubi.pt" target="_blank">Internalsite2.ubi.pt</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><img border=0 width=126 height=99 style='width:1.3125in;height:1.0312in' id="Picture_x0020_3" src="cid:image002.png@01D9744A.8B1AEDA0"><span lang=PT> …</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=PT> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="http://di.ubi.pt" target="_blank">di.ubi.pt</a> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>(both authoritative and recursive for my networks)<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Previously I had the following to get internal sites resolved, but now it seems it is completely discarded by dnssec.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>zone "<a href="http://ubi.pt" target="_blank">ubi.pt</a>" IN {<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> type forward;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> forwarders { 192.168.100.1; 192.168.100.2; };<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>}<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Is there any configuration to allow me to be able to access internal sites served by internal dns servers, I guess not using DNSSEC?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Can this only be accomplished by adding these entries to my parent domain?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks!<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Kind regards<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>David Carvalho<o:p></o:p></p></div></div><p class=MsoNormal>-- <br>Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br><br>ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank">https://www.isc.org/contact/</a> for more information.<br><br><br>bind-users mailing list<br><a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><br><br><o:p></o:p></p></blockquote><pre>-- <o:p></o:p></pre><pre>Petr Menšík<o:p></o:p></pre><pre>Software Engineer, RHEL<o:p></o:p></pre><pre>Red Hat, <a href="https://www.redhat.com/">https://www.redhat.com/</a><o:p></o:p></pre><pre>PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB<o:p></o:p></pre></div></body></html>