I believe this is the option you are looking for: validate-except { domain.example; };
_________________________________________________________ Nicholas Miller, OIT, University of Colorado at Boulder > On Apr 13, 2022, at 9:02 AM, Duchscher, Dave J via bind-users > <bind-users@lists.isc.org> wrote: > > >> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users >> <bind-users@lists.isc.org> wrote: >> >> This Message Is From an External Sender >> This message came from outside your organization. >> On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote: >>> We are dropping this configuration and looking at doing something else. >> >> I'm sorry to hear that. >> >>> We have had intermittent issues with Slack, Microsoft, and a growing >>> list of domains. Even have one that consistently fails. >> >> Are you able to share any specific details / examples so that others can >> see an example of what to loo out for? > > Sure. > > Just to clear, the setup looks like this: > > Internal DNS --> DMZ DNS Cache -> World > > Internal DNS is forward only. Only internal DNS allowed on the DNS > cache systems. DNSSEC validation can be enabled or disabled on the > cache systems since named always sets the check disabled flag when > forwarding. This also means that you can't forward to an upstream > DNS system and have it do the DNSSEC validation. Wish there was a > way to turn this off or if it would only set the check disabled > flag when DNSSEC validation is enabled. > > Failures mode is that everything looks to work and then a domain > will stop resolving. Sometimes we get timeouts, sometimes SERVFAIL, > and other times NXDOMAIN. > > On a test setup with fresh restart, these domains always fail. > > cybr.club > am-explorer.com > simutext.com > simutext2.com > > These domains fail randomly and we have not been able to produce > the failure. > > a.slack-edge.com > portal.azure.com > rex-sftp.bncollege.com > > There is also our teams and sharepoint domains but rather not put > them here. > > I hope this helps. Needless to say, it has been a frustration > situation. > -- > Dave > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users