BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash
The new version crash and the BIND 9.11.8-1+ubuntu18.04.1+deb.sury.org+1 was pulled from the repo. I'm trying the 9.14.4-1 as I need to resume the service but I have GeoIP2 migration problems. Please re-push the previous version in the repo. Emmanuel. Jul 25 10:54:08 ns1 systemd[1]: Reloading. Jul 25 10:54:08 ns1 systemd[1]: message repeated 2 times: [ Reloading.] Jul 25 10:54:08 ns1 systemd[1]: Starting BIND Domain Name Server... Jul 25 10:54:08 ns1 named[32210]: starting BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2-Ubuntu (Extended Support Version) Jul 25 10:54:08 ns1 named[32210]: running on Linux x86_64 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 Jul 25 10:54:08 ns1 named[32210]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind 9-aM_dmU/bind9-9.11.9+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Jul 25 10:54:08 ns1 named[32210]: running as: named -4 -u bind Jul 25 10:54:08 ns1 named[32210]: compiled by GCC 7.4.0 Jul 25 10:54:08 ns1 named[32210]: compiled with OpenSSL version: OpenSSL 1.1.1 11 Sep 2018 Jul 25 10:54:08 ns1 named[32210]: linked to OpenSSL version: OpenSSL 1.1.1 11 Sep 2018 Jul 25 10:54:08 ns1 named[32210]: compiled with libxml2 version: 2.9.4 Jul 25 10:54:08 ns1 named[32210]: linked to libxml2 version: 20904 Jul 25 10:54:08 ns1 named[32210]: compiled with libjson-c version: 0.12.1 Jul 25 10:54:08 ns1 named[32210]: linked to libjson-c version: 0.12.1 Jul 25 10:54:08 ns1 named[32210]: compiled with zlib version: 1.2.11 Jul 25 10:54:08 ns1 named[32210]: linked to zlib version: 1.2.11 Jul 25 10:54:08 ns1 named[32210]: threads support is enabled Jul 25 10:54:08 ns1 named[32210]: Jul 25 10:54:08 ns1 named[32210]: BIND 9 is maintained by Internet Systems Consortium, Jul 25 10:54:08 ns1 named[32210]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Jul 25 10:54:08 ns1 named[32210]: corporation. Support and training for BIND 9 are Jul 25 10:54:08 ns1 named[32210]: available athttps://www.isc.org/support Jul 25 10:54:08 ns1 named[32210]: Jul 25 10:54:08 ns1 named[32210]: adjusted limit on open files from 4096 to 1048576 Jul 25 10:54:08 ns1 named[32210]: found 4 CPUs, using 4 worker threads Jul 25 10:54:08 ns1 named[32210]: using 3 UDP listeners per interface Jul 25 10:54:08 ns1 named[32210]: using up to 4096 sockets Jul 25 10:54:08 ns1 named[32210]: loading configuration from '/etc/bind/named.conf' Jul 25 10:54:08 ns1 named[32210]: reading built-in trust anchors from file '/etc/bind/bind.keys' Jul 25 10:54:08 ns1 named[32210]: statistics channel listening on 172.16.9.21#8053 Jul 25 10:54:08 ns1 named[32210]: using default UDP/IPv4 port range: [32768, 60999] Jul 25 10:54:08 ns1 named[32210]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 25 10:54:08 ns1 named[32210]: listening on IPv4 interface eno1, 172.16.9.21#53 Jul 25 10:54:08 ns1 named[32210]: listening on IPv4 interface eno2, 10.5.9.21#53 Jul 25 10:54:08 ns1 named[32210]: listening on IPv4 interface enp7s0f0, 192.54.145.234#53 Jul 25 10:54:08 ns1 named[32210]: generating session key for dynamic DNS Jul 25 10:54:08 ns1 named[32210]: sizing zone task pool based on 1380 zones Jul 25 10:54:08 ns1 named[32210]: ../../../lib/isccfg/aclconf.c:845: INSIST(0) failed, back trace Jul 25 10:54:08 ns1 named[32210]: #0 0x562f3fde5a70 in ?? Jul 25 10:54:08 ns1 named[32210]: #1 0x7ff829b7d7ea in ?? Jul 25 10:54:08 ns1 named[32210]: #2 0x7ff82a001aca in ?? Jul 25 10:54:08 ns1 named[32210]: #3 0x7ff82a00263f in ?? Jul 25 10:54:08 ns1 named[32210]: #4 0x7ff82a002882 in ?? Jul 25 10:54:08 ns1 named[32210]: #5 0x7ff82a002c52 in ?? Jul 25 10:54:08 ns1 named[32210]: #6 0x7ff82a00116a in ?? Jul 25 10:54:08 ns1 named[32210]: #7 0x7ff82a00263f in ?? Jul 25 10:54:08 ns1 named[32210]: #8 0x562f3fdc2
Re: BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash
Ok, I installed GeoLite2 databases and adapted named.conf.options and apparmor profile and my service is resumed. It is the second time I'm forced to switch from an ESV version to the lastest version because of a bad update. Bugs is life, but do not pull previous version so quickly. I'm no longer able to help you to debug the 9.11.9 version. All my servers are now on 9.12 or 9.14. Emmanuel. Le 25/07/2019 à 11:51, FUSTE Emmanuel a écrit : > The new version crash and the BIND 9.11.8-1+ubuntu18.04.1+deb.sury.org+1 > was pulled from the repo. > I'm trying the 9.14.4-1 as I need to resume the service but I have > GeoIP2 migration problems. > Please re-push the previous version in the repo. > > Emmanuel. > > Jul 25 10:54:08 ns1 systemd[1]: Reloading. > Jul 25 10:54:08 ns1 systemd[1]: message repeated 2 times: [ Reloading.] > Jul 25 10:54:08 ns1 systemd[1]: Starting BIND Domain Name Server... > Jul 25 10:54:08 ns1 named[32210]: starting BIND > 9.11.9-1+ubuntu18.04.1+deb.sury.org+2-Ubuntu (Extended Support Version) > > Jul 25 10:54:08 ns1 named[32210]: running on Linux x86_64 4.15.0-54-generic > #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 > Jul 25 10:54:08 ns1 named[32210]: built with '--build=x86_64-linux-gnu' > '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' > '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' > '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' > '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' > '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' > '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' > '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' > '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' > '--with-libidn2' '--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld' > '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' > '--enable-filter-' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' > '--with-randomdev=/dev/urandom' '--enable-dnstap' > 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind >9-aM_dmU/bind9-9.11.9+dfsg=. -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions > -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' > Jul 25 10:54:08 ns1 named[32210]: running as: named -4 -u bind > Jul 25 10:54:08 ns1 named[32210]: compiled by GCC 7.4.0 > Jul 25 10:54:08 ns1 named[32210]: compiled with OpenSSL version: OpenSSL > 1.1.1 11 Sep 2018 > Jul 25 10:54:08 ns1 named[32210]: linked to OpenSSL version: OpenSSL 1.1.1 > 11 Sep 2018 > Jul 25 10:54:08 ns1 named[32210]: compiled with libxml2 version: 2.9.4 > Jul 25 10:54:08 ns1 named[32210]: linked to libxml2 version: 20904 > Jul 25 10:54:08 ns1 named[32210]: compiled with libjson-c version: 0.12.1 > Jul 25 10:54:08 ns1 named[32210]: linked to libjson-c version: 0.12.1 > Jul 25 10:54:08 ns1 named[32210]: compiled with zlib version: 1.2.11 > Jul 25 10:54:08 ns1 named[32210]: linked to zlib version: 1.2.11 > Jul 25 10:54:08 ns1 named[32210]: threads support is enabled > Jul 25 10:54:08 ns1 named[32210]: > > Jul 25 10:54:08 ns1 named[32210]: BIND 9 is maintained by Internet Systems > Consortium, > Jul 25 10:54:08 ns1 named[32210]: Inc. (ISC), a non-profit 501(c)(3) > public-benefit > Jul 25 10:54:08 ns1 named[32210]: corporation. Support and training for BIND > 9 are > Jul 25 10:54:08 ns1 named[32210]: available athttps://www.isc.org/support > Jul 25 10:54:08 ns1 named[32210]: > > Jul 25 10:54:08 ns1 named[32210]: adjusted limit on open files from 4096 to > 1048576 > Jul 25 10:54:08 ns1 named[32210]: found 4 CPUs, using 4 worker threads > Jul 25 10:54:08 ns1 named[32210]: using 3 UDP listeners per interface > Jul 25 10:54:08 ns1 named[32210]: using up to 4096 sockets > Jul 25 10:54:08 ns1 named[32210]: loading configuration from > '/etc/bind/named.conf' > Jul 25 10:54:08 ns1 named[32210]: reading built-in trust anchors from file > '/etc/bind/bind.keys' > Jul 25 10:54:08 ns1 named[32210]: statistics channel listening on > 172.16.9.21#8053 > Jul 25 10:54:08 ns1 named[32210]: using default UDP/IPv4 port range: [32768, > 60999] > Jul 25 10:54:08 ns1 named[32210]: listening on IPv4 interface lo, 127.0.0.1#53 > Jul 25 10:54:08 ns1 named[32210]: listening on IPv4 interface eno1, > 172.16.9.21#53 > Jul 25 10:54:08 ns1 named[32210]: listening on IPv4 interface eno2, > 10.5.9.21#53 > Jul 25 10:54:08 ns1 named[32210]: listening on IPv4 interface enp7s0f0, > 192.54.145.234#53 > Jul 25 10:54:08 ns1 named[32210]: generating session key for dynamic DNS > Jul 25 10:54:08 ns1 named[32210]: sizing zone task pool based on 1380 zones > J
Re: BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash
Hi Emmanuel, the crash should not happen because the discrepancy between the GeoIP and GeoIP2 configurations should have been caught earlier, so I would appreciate if you can submit an issue here: https://gitlab.isc.org/isc-projects/bind9/issues with more details on you named.conf. You can use named-checkconf -px to clean any sensitive data, and/or make sure you mark the issue as confidential if there’s still data you don’t want to be seen by general public. We’ll sanitize the issue later. That said - the 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 backport has missed one important commit that disables legacy GeoIP and enables GeoIP2, and I’ve just uploaded version 3+geoip2 to the Ubuntu repositories, so could you please try again with the recompiled version? It should fix the INSIST() that you were hitting. If that fixes your issue, we would still appreciate if you would create the issue, so we can make BIND fail more gracefully that with an crash if there’s error in the configuration related to the switch between GeoIP and GeoIP2. Thank you, Ondrej -- Ondřej Surý ond...@isc.org > On 25 Jul 2019, at 05:51, FUSTE Emmanuel > wrote: > > The new version crash and the BIND 9.11.8-1+ubuntu18.04.1+deb.sury.org+1 > was pulled from the repo. > I'm trying the 9.14.4-1 as I need to resume the service but I have > GeoIP2 migration problems. > Please re-push the previous version in the repo. > > Emmanuel. > > Jul 25 10:54:08 ns1 systemd[1]: Reloading. > Jul 25 10:54:08 ns1 systemd[1]: message repeated 2 times: [ Reloading.] > Jul 25 10:54:08 ns1 systemd[1]: Starting BIND Domain Name Server... > Jul 25 10:54:08 ns1 named[32210]: starting BIND > 9.11.9-1+ubuntu18.04.1+deb.sury.org+2-Ubuntu (Extended Support Version) > > Jul 25 10:54:08 ns1 named[32210]: running on Linux x86_64 4.15.0-54-generic > #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 > Jul 25 10:54:08 ns1 named[32210]: built with '--build=x86_64-linux-gnu' > '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' > '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' > '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' > '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' > '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' > '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' > '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' > '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' > '--with-libidn2' '--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld' > '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' > '--enable-filter-' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' > '--with-randomdev=/dev/urandom' '--enable-dnstap' > 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind > 9-aM_dmU/bind9-9.11.9+dfsg=. -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions > -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' > Jul 25 10:54:08 ns1 named[32210]: running as: named -4 -u bind > Jul 25 10:54:08 ns1 named[32210]: compiled by GCC 7.4.0 > Jul 25 10:54:08 ns1 named[32210]: compiled with OpenSSL version: OpenSSL > 1.1.1 11 Sep 2018 > Jul 25 10:54:08 ns1 named[32210]: linked to OpenSSL version: OpenSSL 1.1.1 > 11 Sep 2018 > Jul 25 10:54:08 ns1 named[32210]: compiled with libxml2 version: 2.9.4 > Jul 25 10:54:08 ns1 named[32210]: linked to libxml2 version: 20904 > Jul 25 10:54:08 ns1 named[32210]: compiled with libjson-c version: 0.12.1 > Jul 25 10:54:08 ns1 named[32210]: linked to libjson-c version: 0.12.1 > Jul 25 10:54:08 ns1 named[32210]: compiled with zlib version: 1.2.11 > Jul 25 10:54:08 ns1 named[32210]: linked to zlib version: 1.2.11 > Jul 25 10:54:08 ns1 named[32210]: threads support is enabled > Jul 25 10:54:08 ns1 named[32210]: > > Jul 25 10:54:08 ns1 named[32210]: BIND 9 is maintained by Internet Systems > Consortium, > Jul 25 10:54:08 ns1 named[32210]: Inc. (ISC), a non-profit 501(c)(3) > public-benefit > Jul 25 10:54:08 ns1 named[32210]: corporation. Support and training for BIND > 9 are > Jul 25 10:54:08 ns1 named[32210]: available athttps://www.isc.org/support > Jul 25 10:54:08 ns1 named[32210]: > > Jul 25 10:54:08 ns1 named[32210]: adjusted limit on open files from 4096 to > 1048576 > Jul 25 10:54:08 ns1 named[32210]: found 4 CPUs, using 4 worker threads > Jul 25 10:54:08 ns1 named[32210]: using 3 UDP listeners per interface > Jul 25 10:54:08 ns1 named[32210]: using up to 4096 sockets > Jul 25 10:54:08 ns1 named[32210]: loading configuration from > '/etc/bind/named.conf' > Jul 25 10:54:08 ns1 named[32210]: reading built-in trust anchor
Re: BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash
Le 25/07/2019 à 12:56, Ondřej Surý a écrit : > Hi Emmanuel, > > the crash should not happen because the discrepancy between the GeoIP and > GeoIP2 configurations > should have been caught earlier, so I would appreciate if you can submit an > issue here: > https://gitlab.isc.org/isc-projects/bind9/issues with more details on you > named.conf. > > You can use named-checkconf -px to clean any sensitive data, and/or make sure > you mark the > issue as confidential if there’s still data you don’t want to be seen by > general public. We’ll sanitize > the issue later. > > That said - the 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 backport has missed one > important commit > that disables legacy GeoIP and enables GeoIP2, and I’ve just uploaded version > 3+geoip2 to the > Ubuntu repositories, so could you please try again with the recompiled > version? It should fix the > INSIST() that you were hitting. > > If that fixes your issue, we would still appreciate if you would create the > issue, so we can make > BIND fail more gracefully that with an crash if there’s error in the > configuration related to the > switch between GeoIP and GeoIP2. > > Thank you, > Ondrej > -- > Ondřej Surý > ond...@isc.org > > Hello Ondrej, Thank you for your quick reply. I will create the issue shortly. As explained in my followup message, it is now very difficult for me to test the updated package. I will try to find a way to test/validate it as time permit. Thank you Emmanuel. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash
The issue was caused by using GeoIP2 configuration with BIND 9.11 compiled with legacy GeoIP, so there’s no need to test it on your side. We are just missing the combination of the options that you have used that caused this, thus the issue. We would be able to test it ourselves then. Thank you, Ondrej -- Ondřej Surý ond...@isc.org > On 25 Jul 2019, at 07:40, FUSTE Emmanuel > wrote: > > Le 25/07/2019 à 12:56, Ondřej Surý a écrit : >> Hi Emmanuel, >> >> the crash should not happen because the discrepancy between the GeoIP and >> GeoIP2 configurations >> should have been caught earlier, so I would appreciate if you can submit an >> issue here: >> https://gitlab.isc.org/isc-projects/bind9/issues with more details on you >> named.conf. >> >> You can use named-checkconf -px to clean any sensitive data, and/or make >> sure you mark the >> issue as confidential if there’s still data you don’t want to be seen by >> general public. We’ll sanitize >> the issue later. >> >> That said - the 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 backport has missed >> one important commit >> that disables legacy GeoIP and enables GeoIP2, and I’ve just uploaded >> version 3+geoip2 to the >> Ubuntu repositories, so could you please try again with the recompiled >> version? It should fix the >> INSIST() that you were hitting. >> >> If that fixes your issue, we would still appreciate if you would create the >> issue, so we can make >> BIND fail more gracefully that with an crash if there’s error in the >> configuration related to the >> switch between GeoIP and GeoIP2. >> >> Thank you, >> Ondrej >> -- >> Ondřej Surý >> ond...@isc.org >> >> > Hello Ondrej, > > Thank you for your quick reply. > I will create the issue shortly. > As explained in my followup message, it is now very difficult for me to > test the updated package. I will try to find a way to test/validate it > as time permit. > > Thank you > Emmanuel. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Exempt .local from dnssec validation on resolver?
For historical reasons we have some forward-zones defined on our
resolver (v9.11.9). For example:
zone foo.local {type forward; forwarders { 10.1.2.3; };
zone bar.local {type forward; forwarders { 10.4.5.6; };
These are obviously invalid TLDs, and are defined on servers over which
I have no influence or control. The difficulty is if my named.conf contains:
dnssec-validation auto;
then I'm unable to return records for things like a.foo.local, and my
log contains info-messages of the sort:
---
lame-servers: info: insecurity proof failed resolving
'foo.local/SOA/IN': 10.1.2.3#53
dnssec: info: validating foo.local/SOA: got insecure response; parent
indicates it should be secure
---
Is there any way to tell my resolver it shouldn't be validating
responses for foo.local?
Or must I assert authority over .local and delegate authority for 'foo'
and 'bar' back to the servers which are already answering for them?
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Exempt .local from dnssec validation on resolver?
On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote:
> Is there any way to tell my resolver it shouldn't be validating
> responses for foo.local?
In 9.11, no. In 9.14, you can use "validate-except { local; };"
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Exempt .local from dnssec validation on resolver?
On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote:
> In 9.11, no. In 9.14, you can use "validate-except { local; };"
(Afterthought: In 9.11, you can also use "rndc nta" to suppress validation
on a given domain, but negative trust anchors expire after a while, so you
have to keep doing it over and over. You could sign the ".local" zone and
distribute a trust anchor for it to all of your internal resolvers. So, I
shouldn't have said "no". But the simple fire-and-forget method that you
seemed to be looking for was not introduced until 9.14.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
