[Dnssec-trigger] dnssec-trigger and local-zone

Ralf Jung post at ralfj.de
Wed Oct 15 08:25:03 UTC 2014


>> I am currently experimenting wit the DNS setup in our local
>> hackerspace. Our router does not support DNSSEC as cache, so I set
>> up an unbound on a server in our space, and configured DHCP
>> appropriately. dnssec-trigger detects that our local cache supports
>> DNSSEC. That's generally working fine.
>> However, we do have a "local-zone" configured to manage the names
>> of machines in the space. And when I run dnssec-trigger on my
>> machine, these names fail to resolve with a SERVFAIL. I assume
>> that's because our local TLD is not properly signed by the root
>> zone - and in fact, how could it be. Is there a way to set up local
>> zones in a way that still works with DNSSEC-validating resolvers? I
>> tried using the ".local" TLD, but that doesn't seem to work
>> either.
> You need a trust anchor for your local zone.  Because it is not DNSSEC
> signed this trust anchor is a negative trust anchor, disabling DNSSEC
> for this domain.  domain-insecure: "local-zone" in unbound.conf (you
> can include config files from unbound.conf if you want to separate
> management for it, include: "other.conf").

That would be configuration in the unbound running on my local machine,
right? That doesn't really help, unfortunately - I can't ask everybody
who's using dnssec-trigger to manually configure their machine.

I was hoping that there would be a TLD that had a non-trusted delegation
from the root, or similar, such that one can easily create "fake"
answers below that TLD. If nothing like that exists, I will have to use
a subdomain of our domain, and manually create a non-trusted delegation.

Kind regards

More information about the dnssec-trigger mailing list