This confirms that NS record is missing. If there were NS record in
ubi.pt zone the validator would have detected that the AD zone is not
signed.
To fix that just add the NS record and it should start working again.
Petr Špaček
On 19. 04. 23 12:42, David Carvalho wrote:
Hello and thanks.
For now I disabled dnssec for the zone, as there were sites that need to be
accessible.
I found
dnssec: info: validating internalsite2.ubi.pt/CNAME: got insecure response;
parent indicates it should be secure
I've been told Internal dns (windows) are not set to use dnssec, and even if
they were, the key would be different than that on the outside servers, which
is the same domain.
Not optimistic....
Regards
David
-----Original Message-----
From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Petr Špacek
Sent: 19 April 2023 10:35
To: bind-users@lists.isc.org
Subject: Re: DNSSEC and forward zone
You can disable it, but that's just workaround.
It would be better to fix it :-)
I would recommend checking logs on resolver which is failing to resolve the
domain. I guess you will find out a DNSSEC validation error would tell us
what's misconfigured.
My bet is that the internal domains are missing delegation from the parent
domain, which was incorrect even before and worked just accidentally.
E.g the ubi.pt zone file needs NS records which point to subdomains
Internalsite1.ubi.pt and di.ubi.pt etc.
If you do not want these domains to resolve from outside, just configure ACL on
the authoritative servers to not respond to queries from outside of your
network.
I hope it helps.
Petr Špaček
On 19. 04. 23 11:27, Darren Ankney wrote:
Hi David,
You can disable validation on one or more domains using
"validate-except" -
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statem
ent-validate-except
<https://bind9.readthedocs.io/en/latest/reference.html#namedconf-state
ment-validate-except>
Thank you,
Darren Ankney
On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users
<bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>> wrote:
Hello guys____
Asking for your help, again.____
__ __
So after setting up DNSSEC I’ve found I couldn’t reach some internal
sites on my top domain, served by internal DNS servers____
There’s no need in hiding domains as my e-mail is shown here.____
__ __
Top domain____
__
____ __
__ __
ubi.pt <http://ubi.pt> (external DNS Servers authoritative)____
__ __
Internal DNS servers (windows, Active directory -
Recursive)____
Internalsite1.ubi.pt <http://Internalsite1.ubi.pt>____
____Internalsite2.ubi.pt <http://Internalsite2.ubi.pt>____
____ …____
__ __
__ __
di.ubi.pt <http://di.ubi.pt> ____
(both authoritative and recursive for my networks)____
__ __
Previously I had the following to get internal sites resolved, but
now it seems it is completely discarded by dnssec.____
__ __
zone "ubi.pt <http://ubi.pt>" IN {____
type forward;____
forwarders { 192.168.100.1; 192.168.100.2; };____
}____
__ __
Is there any configuration to allow me to be able to access
internal sites served by internal dns servers, I guess not using
DNSSEC?____
Can this only be accomplished by adding these entries to my parent
domain?____
Thanks!
--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
