You can disable it, but that's just workaround.
It would be better to fix it :-)
I would recommend checking logs on resolver which is failing to resolve
the domain. I guess you will find out a DNSSEC validation error would
tell us what's misconfigured.
My bet is that the internal domains are missing delegation from the
parent domain, which was incorrect even before and worked just accidentally.
E.g the ubi.pt zone file needs NS records which point to subdomains
Internalsite1.ubi.pt and di.ubi.pt etc.
If you do not want these domains to resolve from outside, just configure
ACL on the authoritative servers to not respond to queries from outside
of your network.
I hope it helps.
Petr Špaček
On 19. 04. 23 11:27, Darren Ankney wrote:
Hi David,
You can disable validation on one or more domains using
"validate-except" -
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except <https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except>
Thank you,
Darren Ankney
On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users
<bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>> wrote:
Hello guys____
Asking for your help, again.____
__ __
So after setting up DNSSEC I’ve found I couldn’t reach some internal
sites on my top domain, served by internal DNS servers____
There’s no need in hiding domains as my e-mail is shown here.____
__ __
Top domain____
__
____ __
__ __
ubi.pt <http://ubi.pt> (external DNS Servers authoritative)____
__ __
Internal DNS servers (windows, Active directory -
Recursive)____
Internalsite1.ubi.pt <http://Internalsite1.ubi.pt>____
____Internalsite2.ubi.pt <http://Internalsite2.ubi.pt>____
____ …____
__ __
__ __
di.ubi.pt <http://di.ubi.pt> ____
(both authoritative and recursive for my networks)____
__ __
Previously I had the following to get internal sites resolved, but
now it seems it is completely discarded by dnssec.____
__ __
zone "ubi.pt <http://ubi.pt>" IN {____
type forward;____
forwarders { 192.168.100.1; 192.168.100.2; };____
}____
__ __
Is there any configuration to allow me to be able to access
internal sites served by internal dns servers, I guess not using
DNSSEC?____
Can this only be accomplished by adding these entries to my parent
domain?____
Thanks!
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
