5

I have a working DNS server for local domain mydomain.local. I am trying to configure bind9 to work in default configuration, except for this zone, for which I want to forward queries to local DNS server. Here's config I have (ubuntu 14.04):

/etc/bind/named.conf.local:


zone "mydomain.local" IN {
    type forward;
    forward only;
    forwarders {
        192.168.1.1;
    };
};

But when I try to nslookup server.mydomain.local I'm getting following in syslog:

error (broken trust chain) resolving 'server.mydomain.local/A/IN': 192.168.1.1#53

It is my understanding that this is because of DNSSEC. I don't want to disable DNSSEC globally, but I do want to disable DNSSEC for this very zone. Is it possible?

Please do not suggest using type slave; zone. I want to achieve this with forward zone

galets
  • 806
  • 3
  • 7
  • 18

2 Answers2

6

I found an answer. Following line in /etc/bind/named.conf.options fixes it:

--->        dnssec-must-be-secure mydomain.local no;   <---

So, full text of /etc/bind/named.conf.options will be (skipping comments):

options {
        directory "/var/cache/bind";

        forwarders {
                192.168.1.1;
        };

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-must-be-secure mydomain.local no;

        auth-nxdomain no;
        listen-on-v6 { any; };
};

UPDATE: Actually, at this point I cannot tell if I indeed fixed bind with that line or didn't. Somehow all queries succeed now, with or without this line. If an expert is present here, please chip in

galets
  • 806
  • 3
  • 7
  • 18
-1

But if you create a zone "local", the parent zone for "mydomain.local" and designate as ns the ip of the server you forward.this will make dnssec function with value auto.

More details https://netfuture.ch/2014/10/adding-your-fritzbox-as-a-secure-dns-resolver-for-the-fritz-box-pseudo-domain/

Edwin Gomez
  • 1
  • 2