Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > > the name is "testa.eu".
OK, let's dig it (trimmed for relevance): ; <<>> DiG 9.13.0-dev <<>> +multiline +dnssec testa.eu ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39666 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 So we know two things from this: the domain doesn't exist, and it is not an authenticated denial of existence - no AD flag. So you should be OK to have a private testa.eu domain without DNSSEC validation problems. Looking in the AUTHORITY section... 4EIKQ8ORL4U4NTG72QEDRA6P3NDA1UNC.eu. 589 IN NSEC3 1 1 1 5CA1AB1E ( 4EIOQGMMDB0BP76VHHBDNVEN2UUNABGK NS DS RRSIG ) $ NSEC3 1 1 1 5CA1AB1E *.eu *.eu NSEC3 1 1 1 5CA1AB1E 4EIO9SO8DATCD8U1KI8ATQ6K5UTE1QCS This NSEC3 record proves there is no wildcard (observe the hash from my NSEC3 utility is lexically between the two hashes above). GLIBHU0LF7IH1TGCCS68E3R5508AKBFR.eu. 589 IN NSEC3 1 1 1 5CA1AB1E ( GLIJ3PFD0FCA2FL8AJIASQMBMAK8F8HB NS DS RRSIG ) $ NSEC3 1 1 1 5CA1AB1E testa.eu testa.eu NSEC3 1 1 1 5CA1AB1E GLIBUAUN6HLU7OONLEAJE4PFAHE8CFEU This NSEC3 record proves there is no signed delegation for testa.eu. There is an opt-out bit which means that there can be any unsigned delegations with hashes between GLIBH... and GLIJ3... QBQ65Q6097OCPPR0EUCQNSC1FHE073UA.eu. 589 IN NSEC3 1 1 1 5CA1AB1E ( QBQ6OCGMT2JNIJ4JNF2CCRFI4CE4NUE0 NS SOA RRSIG DNSKEY NSEC3PARAM ) $ NSEC3 1 1 1 5CA1AB1E eu eu NSEC3 1 1 1 5CA1AB1E QBQ65Q6097OCPPR0EUCQNSC1FHE073UA This is the closest encloser proof, identifying the .eu zone apex, which you can tell from the type bitmap as well as the matching hashes. So according to my understanding, a local testa.eu zone should work ok. Letsa testa it. I have configured an empty zone on my authoritative view, with a static-stub version in the recursive view. This is a cunning hack to make my server validate its local authoritative zones, which I use for all the real zones on the server. $ named-checkconf -l | grep testa testa.eu IN rec static-stub testa.eu IN auth master $ dig testa.eu soa ; <<>> DiG 9.13.0-dev <<>> testa.eu soa ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38193 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 Oh dear! As you said, it doesn't work! I think this warrants further investigation... Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Rockall, Malin, Hebrides, Bailey: West or southwest 5 to 7, occasionally gale 8 in Hebrides and Bailey. Very rough or high, occasionally rough in Malin. Rain then showers, becoming wintry and squally except in Malin. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users