Thank you for all of the responses, I really appreciate it. Clearly the best approach is to sign the internal tld, but at the moment I can't do that because I would need new internal servers, ours don't support dnssec.
I configured it as a slave and it's working. Thanks! Maria On Tue, Aug 20, 2013 at 08:17:03PM -0500, Timothy Morizot wrote: > DNSSEC sign the private TLD and configure its KSK as a trust anchor on the > recursive resolvers. > > Alternatively, you can configure all your recursive resolvers as slaves for > the private zone. Authoritative responses aren't validated on a mixed > authoritative/recursive nameserver. > > Those are the only two options that immediately spring to my mind. > > Scott > On Aug 20, 2013 5:16 PM, "Maria" <bind-li...@iano.org> wrote: > > > My company uses a private tld. We are working on fixing that but the fix > > is going to take a while, especially if our solution ends up being trying > > to register it with icann. > > > > Our resolvers that all internet queries go through have a forward zone > > statement for that tld to some internal name servers. Unfortunately, when I > > turn on dnssec validation our resolvers go check out the root zone, see our > > private zone doesn't exist, and refuse to resolve records in the zone. Is > > there a solution I can put in place so we can do dnssec validation in the > > meantime while we work on ceasing to use the private tld? > > > > Thanks, > > Maria > > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
