bind9 configure forward zone for local domain without DNSSEC for this zone only
I found an answer. Following line in /etc/bind/named.conf.options
fixes it:
---> dnssec-must-be-secure mydomain.local no; <---
So, full text of /etc/bind/named.conf.options
will be (skipping comments):
options {
directory "/var/cache/bind";
forwarders {
192.168.1.1;
};
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mydomain.local no;
auth-nxdomain no;
listen-on-v6 { any; };
};
UPDATE: Actually, at this point I cannot tell if I indeed fixed bind with that line or didn't. Somehow all queries succeed now, with or without this line. If an expert is present here, please chip in
Related videos on Youtube
galets
Updated on September 18, 2022Comments
-
galets almost 2 years
I have a working DNS server for local domain mydomain.local. I am trying to configure bind9 to work in default configuration, except for this zone, for which I want to forward queries to local DNS server. Here's config I have (ubuntu 14.04):
/etc/bind/named.conf.local: zone "mydomain.local" IN { type forward; forward only; forwarders { 192.168.1.1; }; };
But when I try to
nslookup server.mydomain.local
I'm getting following in syslog:error (broken trust chain) resolving 'server.mydomain.local/A/IN': 192.168.1.1#53
It is my understanding that this is because of DNSSEC. I don't want to disable DNSSEC globally, but I do want to disable DNSSEC for this very zone. Is it possible?
Please do not suggest using
type slave;
zone. I want to achieve this with forward zone -
Ferrybig almost 9 yearsThis answer only works if you have
dnssec-validation
set toyes
, if its set to the defaultauto
then it won't work -
Alex over 5 yearsFor me it works also with dnssec-validation auto;