Re: broken trust chain on forwarder

2016-10-03 Thread Tony Finch
/dev/rob0 wrote: > > > 3) Change from a forwarder to a slave and thereby become > > authoritative and no longer have any need of DNSSEC validation on > > this zone. > > Did you try with stub or static-stub? Stub and static-stub just change how BIND finds a zone's nameservers; they don't affect va

Re: broken trust chain on forwarder

2016-09-30 Thread Miguel Mucio Santos Moreira
Dears, Once I've tried to use stub zone to solve the same kind of problem with no success. John if it works for you tell us what you did. Thanks -- Miguel Mucio Santos Moreira Gerente GSR - Gerência de Serviços de Rede (31)3339-1401 PRODEMGE - Companhia de Tecnologia da Informação do Est

Re: broken trust chain on forwarder

2016-09-30 Thread /dev/rob0
On Fri, Sep 30, 2016 at 01:32:29PM -0400, jratl...@bluemarble.net wrote: > On Fri, 30 Sep 2016 11:37:39 -0500, /dev/rob0 wrote: > >> > >> This seems to indicate that the servers at 10.21.0.100 and 101 > >> are telling me that stc.corp domain is DNSSEC enabled. However, > >> the new server fails

Re: broken trust chain on forwarder

2016-09-30 Thread Miguel Mucio Santos Moreira
Dears, I understood John has an invalid internal domain called stc.corp (Microsoft AD). Some users will use a new Recursive DNS Server he said before and this new Recursive DNS needs to querie records on the internet and on the stc.corp Authoritative Server, then he created a forward zone in rec

Re: broken trust chain on forwarder

2016-09-30 Thread jratliff
On Fri, 30 Sep 2016 11:37:39 -0500, /dev/rob0 wrote: >> >> This seems to indicate that the servers at 10.21.0.100 and 101 are >> telling me that stc.corp domain is DNSSEC enabled. However, the new >> server fails to find any DS or RRSIG records, so validating this >> claim is not possible. Is

Re: broken trust chain on forwarder

2016-09-30 Thread Warren Kumari
On Friday, September 30, 2016, /dev/rob0 wrote: > On Fri, Sep 30, 2016 at 12:04:33PM -0400, John Ratliff wrote: > > I am building a new recursive DNS server. I have it set to forward > > records for a single zone to our HQ DNS servers. When I try to > > resolve a record, I get errors like this: >

Re: broken trust chain on forwarder

2016-09-30 Thread Miguel Mucio Santos Moreira
Hi John, I've had the same problem than you. Either I'm gonna sign each zone on my authoritative server that I need to be forward internally on my Recursive Server or  I'm gonna create two layers of Recursive DNS, the first layer just with forward zones like your example but with DNSSEC disable

Re: broken trust chain on forwarder

2016-09-30 Thread /dev/rob0
On Fri, Sep 30, 2016 at 12:04:33PM -0400, John Ratliff wrote: > I am building a new recursive DNS server. I have it set to forward > records for a single zone to our HQ DNS servers. When I try to > resolve a record, I get errors like this: > > Sep 30 11:25:39 bltn-dns-04 named[2012]: validating

broken trust chain on forwarder

2016-09-30 Thread John Ratliff
I am building a new recursive DNS server. I have it set to forward records for a single zone to our HQ DNS servers. When I try to resolve a record, I get errors like this: Sep 30 11:25:39 bltn-dns-04 named[2012]: validating @0x7fb51810b8f0: stc.corp SOA: got insecure response; parent indicates it