<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Would it make sense to create a subdomain for internal use, but
have the main zone signed with external records only? Is it
possible to make changes to names?</p>
<p>Can you make for example in.ubi.pt just internal only, not
accessible from outside?<br>
</p>
<p>If you want to have your external zone signed with DNSSEC, then
internal zone has to be signed with DNSSEC too. You can workaround
different KSK keys by adding trust anchor to all your validating
resolvers. A bit better solution would be adding DS record to
parent pt zone also for internal KSK key.</p>
<p>If you make internalsite2.ubi.pt unsigned zone, with own NS and
SOA, then it can be not signed, when the main ubi.pt zone is. But
the indication from the parent has to match. Both zones have to be
signed or none. Internal zone would work too with trust-anchor
explicitly added to your resolvers. Unless you want to ignore your
own zone signatures, internal zone should be signed too.<br>
</p>
<div class="moz-cite-prefix">On 4/19/23 11:49, David Carvalho via
bind-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:008a01d972a4$43a06b50$cae141f0$@di.ubi.pt">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="PT"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi
and thanks for the reply.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Does
it make sense to not validate my parent domain entirely?
Wouldn’t that also stop exterior validation when I request
it?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">David<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="PT"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Darren Ankney
<a class="moz-txt-link-rfc2396E" href="mailto:darren.ankney@gmail.com"><darren.ankney@gmail.com></a> <br>
<b>Sent:</b> 19 April 2023 10:27<br>
<b>To:</b> David Carvalho <a class="moz-txt-link-rfc2396E" href="mailto:david@di.ubi.pt"><david@di.ubi.pt></a><br>
<b>Cc:</b> Bind Users Mailing List
<a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a><br>
<b>Subject:</b> Re: DNSSEC and forward zone<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi David,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">You can disable validation on one or
more domains using "validate-except" - <a
href="https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except"
moz-do-not-send="true" class="moz-txt-link-freetext">https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Darren Ankney<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, Apr 19, 2023 at 5:05 AM David
Carvalho via bind-users <<a
href="mailto:bind-users@lists.isc.org"
moz-do-not-send="true" class="moz-txt-link-freetext">bind-users@lists.isc.org</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hello
guys<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Asking
for your help, again.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">So
after setting up DNSSEC I’ve found I couldn’t reach
some internal sites on my top domain, served by
internal DNS servers<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">There’s
no need in hiding domains as my e-mail is shown
here.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Top
domain<o:p></o:p></p>
<table class="MsoNormalTable" cellspacing="0"
cellpadding="0" border="0" align="left">
<tbody>
<tr style="height:3.0pt">
<td style="width:2.25pt;padding:0cm 0cm 0cm
0cm;height:3.0pt" width="3"><br>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm"><br>
</td>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"
style="mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly"><img
style="width:.2604in;height:.3437in"
id="Picture_x0020_1"
src="cid:part1.bqREceeg.pHDg7JSW@redhat.com"
class="" width="25" height="33" border="0"><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a
href="http://ubi.pt" target="_blank"
moz-do-not-send="true">ubi.pt</a> (external DNS
Servers authoritative)<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">
Internal DNS servers (windows, Active directory -
Recursive)<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:36.0pt"><span
lang="PT"> <a
href="http://Internalsite1.ubi.pt"
target="_blank" moz-do-not-send="true">Internalsite1.ubi.pt</a></span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><img
style="width:.2604in;height:.3437in"
id="Picture_x0020_2"
src="cid:part1.bqREceeg.pHDg7JSW@redhat.com"
class="" width="25" height="33" border="0"><span
lang="PT"> <a
href="http://Internalsite2.ubi.pt"
target="_blank" moz-do-not-send="true">Internalsite2.ubi.pt</a></span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><img
style="width:1.3125in;height:1.0312in"
id="Picture_x0020_3"
src="cid:part2.QznxFLTa.KWmLmUlk@redhat.com"
class="" width="126" height="99" border="0"><span
lang="PT"> …</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="PT"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a
href="http://di.ubi.pt" target="_blank"
moz-do-not-send="true">di.ubi.pt</a> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">(both
authoritative and recursive for my networks)<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Previously
I had the following to get internal sites resolved,
but now it seems it is completely discarded by
dnssec.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">zone
"<a href="http://ubi.pt" target="_blank"
moz-do-not-send="true">ubi.pt</a>" IN {<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">
type forward;<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">
forwarders { 192.168.100.1; 192.168.100.2; };<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">}<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Is
there any configuration to allow me to be able to
access internal sites served by internal dns
servers, I guess not using DNSSEC?<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Can
this only be accomplished by adding these entries to
my parent domain?<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks!<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Kind
regards<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">David
Carvalho<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">-- <br>
Visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid
support subscriptions. Contact us at <a
href="https://www.isc.org/contact/" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.isc.org/contact/</a>
for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">bind-users@lists.isc.org</a><br>
<a
href="https://lists.isc.org/mailman/listinfo/bind-users"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a><o:p></o:p></p>
</div>
</blockquote>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer, RHEL
Red Hat, <a class="moz-txt-link-freetext" href="https://www.redhat.com/">https://www.redhat.com/</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>