When I recently installed the root dnssec initial key on our DNS it broke
it's ability to accept responses for forwarded requests for a DNS block
list zone served by another system. Other queries aren't affected. The
config for the forwarded zone looks like:
zone "dnsbl" {
type forward;
forward only;
forwarders {
10.0.0.124;
};
};
The server at 10.0.0.124 is running rbldnsd. Queries to our main resolver
DNS for anything in the 'dnsbl' zone generate a SERVFAIL and BIND logs
messages similar to the following:
error (chase DS servers) resolving 'sbl.dnsbl/DS/IN': 10.0.0.124#53
If I disable the root initial key, the forwarded queries work again. I
think the problem is that our pseudo TLD 'dnsbl' isn't a signed zone or
something like that. The RRs for the zone are retrieved from various spam
BL repositories.
Is there a way to disable dnssec validation on a per-zone basis for
internal pseudo TLDs?
Antonio Querubin
808-545-5282 x3003
e-mail/xmpp: t...@lava.net
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
