You can install a negative trust anchor or sign the zone so that DNSSEC validation works. The zone exists in the public DNS. You can use the same key material or use different key material and publish multiple DS records for both the private and public DNSKEYs.
The later will allow DNSSEC validation to work with BYOD. You can also sign your internal zone and add trust anchors for it without publishing DS records. This won’t work BYOD. -- Mark Andrews > On 19 Feb 2025, at 21:54, Danjel Jungersen <dan...@jungersen.dk> wrote: > > On 19-02-2025 11:44, Mark Andrews wrote: >> The posix boxes are validating the responses and your zone is not properly >> delegated/signed so DNSSEC validation fails. > Is there a way to overcome this? > They are not delegated, since they are not public. > - Or am I missing something? > But explains why external queries works.... >> >> What does the following return? >> >> dig +cd +dnssec mail.jungersen.dk > > I assume I should use the failing bind, so I ran: > dig +cd +dnssec mail.jungersen.dk @127.0.0.1 > > ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +cd +dnssec mail.jungersen.dk > @127.0.0.1 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48939 > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ; COOKIE: 52f0a7e82a12fe100100000067b5b70dfe529ce9754d3aa8 (good) > ;; QUESTION SECTION: > ;mail.jungersen.dk. IN A > > ;; ANSWER SECTION: > mail.jungersen.dk. 372094 IN A 192.168.20.9 > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > ;; WHEN: Wed Feb 19 11:48:45 CET 2025 > ;; MSG SIZE rcvd: 90 > > BR > Danjel > > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
