On 19 February 2025 13:01:01 CET, Mark Andrews <ma...@isc.org> wrote: >You can install a negative trust anchor or sign the zone so that DNSSEC >validation works. The zone exists in the public DNS. You can use the same key >material or use different key material and publish multiple DS records for >both the private and public DNSKEYs. > >The later will allow DNSSEC validation to work with BYOD. > >You can also sign your internal zone and add trust anchors for it without >publishing DS records. This won’t work BYOD.
I'm very sorry, but you lost me there. The zone is available publicly, but from public serveres not hosted by me (one.com). And points to my external ip. My internal bind redirects local traffic directly to local servers on local ip's. It is 1 zone (jungersen.dk), currently 6 hosts (mail.jungersen.dk ftp.jungersen.dk and a couple of more) 1 server that need this extra caching, the rest of machines are using the "real" bind directly, and this works. Thinking about it makes me wonder why this works. Is it because it is an authoritative server? Even though it is not signed? What would be the easiest route from here? Tia Danjel
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
