[Dnssec-trigger] dnssec-trigger and local-zone
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Wed Oct 15 06:40:47 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Ralf,
On 10/14/2014 10:06 PM, Ralf Jung wrote:
> Hi,
>
> I am currently experimenting wit the DNS setup in our local
> hackerspace. Our router does not support DNSSEC as cache, so I set
> up an unbound on a server in our space, and configured DHCP
> appropriately. dnssec-trigger detects that our local cache supports
> DNSSEC. That's generally working fine.
>
> However, we do have a "local-zone" configured to manage the names
> of machines in the space. And when I run dnssec-trigger on my
> machine, these names fail to resolve with a SERVFAIL. I assume
> that's because our local TLD is not properly signed by the root
> zone - and in fact, how could it be. Is there a way to set up local
> zones in a way that still works with DNSSEC-validating resolvers? I
> tried using the ".local" TLD, but that doesn't seem to work
> either.
You need a trust anchor for your local zone. Because it is not DNSSEC
signed this trust anchor is a negative trust anchor, disabling DNSSEC
for this domain. domain-insecure: "local-zone" in unbound.conf (you
can include config files from unbound.conf if you want to separate
management for it, include: "other.conf").
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUPhbvAAoJEJ9vHC1+BF+NqbIP/2iUP4j6SdV7kDurmEfPsANT
/XXzZeLZs7khtiZL/uI5d878tGp/UO3/UFixqq5q82sP4a/Bak7oEp2y5gNzHV23
rMyA3XsXZeZDUGAz3wZVNu8tOm9j2OWL1y20WNLW4Pf0QCb2PTNT+z6JJ212P23J
24Mrx2o9yy9oGjs623A7I/yJak48Xaly99Orm9YXOrtPVdEOvLI0GcsRozsYi0PU
m3Wo9eQIMQBjEwe+Sm/7eSPBDZQXk6Ri+h98XTn4KJOw1+q67YoUQuOCObz64ehD
W5m49l/rWGNhels6P6ZrE5H6MpUYFUWndydJRKIQcCBow30pY2mCSnz4h88onLLw
G6F0f53uvvSZFob/UFHcD/xEzkmbP5IdOl+MA0oqrfLO8KWeJj0P4ejAJz5w9TCM
qDfhNA/MQkqb9WDEcduRNkFcsQK9qCaoad4L+9iwm77hIt3JXFqd8BK1N00SZoSD
MVHSaljQMAda0zHR80BBHleJ6YCbrHXcmRiWRgvaqlcHDkaa8iE1bf5pWCSALUpy
yyIAqsVKrwvLJvK+t50rLlGQ5Qw3mQ5H/BUSNNfA1A2UmrSWe8/yspRvKWGWlclL
kMfW3hIpr4KQiXRIMfcCK1el7LkRLFDqszf35CKH68IJ+8PGYkHlsmG0pjqVBZ8L
T70MN6ZmMjij6xvfBOqX
=WBu4
-----END PGP SIGNATURE-----
More information about the dnssec-trigger
mailing list