On Wed, Feb 03, 2016 at 10:02:39AM +0100, Thomas Sturm wrote: > OK, understood. However, in the case of an unsigned private domain that > is forwarded, it would be insecure and not invalid, right? What's the > reason this does not work either, then?
It is invalid. There's a TLD claiming to be a child of the root zone which the root zone denies having. A couple of ways to make this work: 1) Sign your internal TLD and give all your local resolvers a copy of its key. The key for the TLD will be used as a trust anchor; there will be no need to validate the full chain of trust up to the root zone. 2) Have all your local resolvers slave the local TLD. When a server gives out an authoritative answer to a query, it doesn't bother to validate it, because when you're the authority you already *know* whether you're giving the correct answer. -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
