Re: insecurity proof failed for a domain
On 13.12.21 08:18, John Thurston wrote: If you update your resolver to 9.16, I think you can do exactly what you want with the "validate-execpt" option. {rolls eyes} been there. done that. for exactly the same reason :/ On 14.12.21 16:58, Matus UHLAR - fantomas wrote: thanks, this helped. I assume I need to put "local" into validate-except {}. This should not be a problem since .local is reserved. I guess .local should have negative trust anchor in root zone. looks like I possibly could achieve the same with bind 9.11 by using rndc nta local to "temporarily" disable checking of "local" domain. BIND would periodically re-check (and fail) and prolong the nta anchor apparently forefer. the "validate-except" is however cleaner solution. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: insecurity proof failed for a domain
On 13.12.21 08:18, John Thurston wrote: If you update your resolver to 9.16, I think you can do exactly what you want with the "validate-execpt" option. {rolls eyes} been there. done that. for exactly the same reason :/ thanks, this helped. I assume I need to put "local" into validate-except {}. This should not be a problem since .local is reserved. I guess .local should have negative trust anchor in root zone. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
re: insecurity proof failed for a domain
If you update your resolver to 9.16, I think you can do exactly what you want with the "validate-execpt" option. {rolls eyes} been there. done that. for exactly the same reason :/ -- -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users