Thank you, I'll report back the result
On Wed, Aug 18, 2021 at 10:49 AM Mark Andrews <ma...@isc.org> wrote:
>
> > On 18 Aug 2021, at 10:23, Edwardo Garcia <wdgar...@gmail.com> wrote:
> >
> > Hola Mark,
> >
> > Thank you, so to be clear, what is mean to delegate zone, the black
> zone? I am not dns expert unfortunately
>
> Yes, create a seperate zone for black.example.net.
>
> In example.net you add NS records for black.example.net. They can use the
> same nameservers as for example.net.
>
> black.example.net. NS some.name.server.
> black.example.net. NS some-other.name.server
>
> you will end up with 2 zone clauses. Apart from the obvious name
> differences
> you won’t add the instructions to sign black.example.net to its stanza.
>
> zone example.net {
> type primary;
> file “example.net.db”;
> ...
> };
>
> zone black.example.net {
> type primary;
> file “black.example.net.db”;
> ...
> };
>
> The top of black.example.net.db has an SOA record and the same NS records
> as you put in the parent zone for it. The two sets of NS records are
> supposed to be the same.
>
> Mark
>
> > On Wed, Aug 18, 2021 at 6:23 AM Mark Andrews <ma...@isc.org> wrote:
> > Delegate the zone. Do NOT add a DS for it.
> >
> > --
> > Mark Andrews
> >
> >> On 17 Aug 2021, at 23:47, Edwardo Garcia <wdgar...@gmail.com> wrote:
> >>
> >>
> >> Hola
> >>
> >> We have dnssec working for long time but need now to have a subdomain
> excluded, we are going to be use it to replace an internal blacklist, we
> have 14 smtp servers and it is cumbersome to keep in sync.
> >>
> >> So we have example.net signed,
> >> but we want black.example.net, and of course all addresses under, eg:
> 4.3.2.1.black.example.net to work, at present of course this presents
> SERVFAIL because dnssec, obvious "black" needs to be in example.net zone,
> nd its dns is ns999 whichwork when dnssec disabled but this is not optimum
> >>
> >> looking for suggestion or guidance to how we fix this please? Ir this
> is not possible?
> >>
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >>
> >> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >>
> >>
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
