[Dnssec-trigger] dnssec-trigger and local-zone

Tomas Hozza thozza at redhat.com
Thu Oct 16 09:33:14 UTC 2014

On 10/15/2014 07:09 PM, Ralf Jung wrote:
> Hi again,
> > I think setting an "insecure" forward zone for your hacker-space domain
> > to the local DNS server (unbound) could help.
> >
> > You could set up your local DHCP server to propagate that domain as a search
> > domain. Then the dnssec-trigger dispatcher script should set up the forward
> > zone automatically on the client. I'm not sure which version of the trigger
> > you're running, but if it is the latest, just adjust the /etc/dnssec.conf,
> > set up the search domain in your DHCP server and it should work.
> I ended up using a subdomain of our own domain, which has an insecure
> delegation, so that people don't have to configure their dnssec-trigger.
> That seems to work, "host name.local.our-domain" works fine. However,
> "host name" does not work because the DHCP-provided search name is not
> put into /etc/resolv.conf. Is that expected? It seems like a bug to me.
> Kind regards
> Ralf
Yes, that is expected. Someone correct me if I'm wrong, but AFAIK it is considered a security feature. The reason is to forbid any network to intentionally add some malicious domain into your resolv.conf.

Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

Red Hat Inc. http://cz.redhat.com

More information about the dnssec-trigger mailing list