Home / server / Questions / 670411
Accepted
galets
Asked: 2015-02-22 08:05:55 +0800 CST

bind9 configure forward zone for local domain without DNSSEC for this zone only

  • 772

I have a working DNS server for local domain mydomain.local. I am trying to configure bind9 to work in default configuration, except for this zone, for which I want to forward queries to local DNS server. Here's config I have (ubuntu 14.04):

/etc/bind/named.conf.local:


zone "mydomain.local" IN {
    type forward;
    forward only;
    forwarders {
        192.168.1.1;
    };
};

But when I try to nslookup server.mydomain.local I'm getting following in syslog:

error (broken trust chain) resolving 'server.mydomain.local/A/IN': 192.168.1.1#53

It is my understanding that this is because of DNSSEC. I don't want to disable DNSSEC globally, but I do want to disable DNSSEC for this very zone. Is it possible?

Please do not suggest using type slave; zone. I want to achieve this with forward zone

bind

2 Answers

  1. Best Answer

    I found an answer. Following line in /etc/bind/named.conf.options fixes it:

    --->        dnssec-must-be-secure mydomain.local no;   <---

    So, full text of /etc/bind/named.conf.options will be (skipping comments):

    options {
        directory "/var/cache/bind";

        forwarders {
                192.168.1.1;
        };

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-must-be-secure mydomain.local no;

        auth-nxdomain no;
        listen-on-v6 { any; };
};

    UPDATE: Actually, at this point I cannot tell if I indeed fixed bind with that line or didn't. Somehow all queries succeed now, with or without this line. If an expert is present here, please chip in

    • 6

  2. But if you create a zone "local", the parent zone for "mydomain.local" and designate as ns the ip of the server you forward.this will make dnssec function with value auto.

    More details https://netfuture.ch/2014/10/adding-your-fritzbox-as-a-secure-dns-resolver-for-the-fritz-box-pseudo-domain/

    • -1