Exempt .local from dnssec validation on resolver?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Exempt .local from dnssec validation on resolver?

John Thurston
For historical reasons we have some forward-zones defined on our
resolver (v9.11.9). For example:
  zone foo.local {type forward; forwarders { 10.1.2.3; };
  zone bar.local {type forward; forwarders { 10.4.5.6; };

These are obviously invalid TLDs, and are defined on servers over which
I have no influence or control. The difficulty is if my named.conf contains:
   dnssec-validation auto;

then I'm unable to return records for things like a.foo.local, and my
log contains info-messages of the sort:

---
lame-servers: info: insecurity proof failed resolving
'foo.local/SOA/IN': 10.1.2.3#53

dnssec: info: validating foo.local/SOA: got insecure response; parent
indicates it should be secure
---

Is there any way to tell my resolver it shouldn't be validating
responses for foo.local?

Or must I assert authority over .local and delegate authority for 'foo'
and 'bar' back to the servers which are already answering for them?



--
    Do things because you should, not just because you can.

John Thurston    907-465-8591
[hidden email]
Department of Administration
State of Alaska
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Exempt .local from dnssec validation on resolver?

Evan Hunt
On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote:
> Is there any way to tell my resolver it shouldn't be validating
> responses for foo.local?

In 9.11, no.  In 9.14, you can use "validate-except { local; };"

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Exempt .local from dnssec validation on resolver?

Evan Hunt
On Thu, Jul 25, 2019 at 09:03:26PM +0000, Evan Hunt wrote:
> In 9.11, no.  In 9.14, you can use "validate-except { local; };"

(Afterthought: In 9.11, you can also use "rndc nta" to suppress validation
on a given domain, but negative trust anchors expire after a while, so you
have to keep doing it over and over.  You could sign the ".local" zone and
distribute a trust anchor for it to all of your internal resolvers.  So, I
shouldn't have said "no". But the simple fire-and-forget method that you
seemed to be looking for was not introduced until 9.14.)

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Exempt .local from dnssec validation on resolver?

Mark Andrews
One may also want to disable synth-from-dnssec to prevent this NSEC record
synthesising a negative response.

loans. 4070 IN NSEC locker. NS DS RRSIG NSEC

If named gets a query for a name in the covered range it will learn the
NSEC record and will synthesise a negative response if there isn’t a cached
positive entry between the looked up name and loans.  The IETF decided to
not make a delegation at .local to break the chain of trust.

Mark

> On 26 Jul 2019, at 7:10 am, Evan Hunt <[hidden email]> wrote:
>
> On Thu, Jul 25, 2019 at 09:03:26PM +0000, Evan Hunt wrote:
>> In 9.11, no.  In 9.14, you can use "validate-except { local; };"
>
> (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation
> on a given domain, but negative trust anchors expire after a while, so you
> have to keep doing it over and over.  You could sign the ".local" zone and
> distribute a trust anchor for it to all of your internal resolvers.  So, I
> shouldn't have said "no". But the simple fire-and-forget method that you
> seemed to be looking for was not introduced until 9.14.)
>
> --
> Evan Hunt -- [hidden email]
> Internet Systems Consortium, Inc.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users