Re: NXDomain reply after LAN IP response from forwarder for zone

[Jarrod Farrell]

BIND 9.20.12

And adding `validate-except` to my configuration seems to be what I need, so 
thanks Greg.

```
IP 10.0.10.1.33184 > 10.0.10.100.53: 43821+ [1au] A? firewall.my-home.net.lan. 
(62)
IP 10.0.10.100.59360 > 10.0.10.101.53: 45885+% [1au] A? 
firewall.my-home.net.lan. (62)
IP 10.0.10.101.53 > 10.0.10.100.59360: 45885* 1/0/1 A 10.96.48.1 (66)
IP 10.0.10.100.53 > 10.0.10.1.33184: 43821 1/0/1 A 10.96.48.1 (94)
```

So for posterity, the final configuration:

```named.conf
include "/etc/bind/rndc.key";
controls {
  inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
};

acl cachenetworks {  127.0.0.0/24;  ::1/128;  10.0.10.0/24;  };
acl badnetworks {  };

options {
  listen-on {  any;  };
  listen-on-v6 {  any;  };
  allow-query-cache { cachenetworks; };
  blackhole { badnetworks; };
  forward first;
  forwarders {  9.9.9.9;  149.112.112.112;  2620:fe::fe;  2620:fe::9;  };
  directory "/run/named";
  pid-file "/run/named/named.pid";
  validate-except { my-home.net.lan; };

};

zone "my-home.net.lan" {
  type forward;
  forward only;
  forwarders { 10.0.10.101; };
};
```

And for those of the NixOS bend like I am (since this is what is generating the 
configuration BIND uses:)

```nix
services.bind = {
  enable = true;
  cacheNetworks = [
    "127.0.0.0/24"
    "::1/128"
    "10.0.10.0/24"
  ];
  forward = "first";
  extraOptions = ''
    validate-except { my-home.net.lan; };
  '';
  extraConfig = ''
    zone "my-home.net.lan" {
      type forward;
      forward only;
      forwarders { 10.0.10.101; };
    };
  '';
};
```

On 9/13/25 18:01, Greg Choules wrote:

Hello.
What version of BIND are you running?

By default, BIND will attempt to perform DNSSEC validation, which is probably why 
you're seeing the DS query. See here for more information on validation and DNSSEC in 
general: 
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#dnssec-validation-explained 
<https://bind9.readthedocs.io/en/latest/dnssec-guide.html#dnssec-validation-explained>

You might want to leave validation enabled in general, but disable it for domains that you know 
are not signed, like "my-home.net.lan". Take a look at this configuration statement: 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except 
<https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except>

I hope that helps.
Cheers, Greg

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.