One may also want to disable synth-from-dnssec to prevent this NSEC record synthesising a negative response.
loans. 4070 IN NSEC locker. NS DS RRSIG NSEC If named gets a query for a name in the covered range it will learn the NSEC record and will synthesise a negative response if there isn’t a cached positive entry between the looked up name and loans. The IETF decided to not make a delegation at .local to break the chain of trust. Mark > On 26 Jul 2019, at 7:10 am, Evan Hunt <e...@isc.org> wrote: > > On Thu, Jul 25, 2019 at 09:03:26PM +0000, Evan Hunt wrote: >> In 9.11, no. In 9.14, you can use "validate-except { local; };" > > (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation > on a given domain, but negative trust anchors expire after a while, so you > have to keep doing it over and over. You could sign the ".local" zone and > distribute a trust anchor for it to all of your internal resolvers. So, I > shouldn't have said "no". But the simple fire-and-forget method that you > seemed to be looking for was not introduced until 9.14.) > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users