One may also want to disable synth-from-dnssec to prevent this NSEC record synthesising a negative response.
loans. 4070 IN NSEC locker. NS DS RRSIG NSEC If named gets a query for a name in the covered range it will learn the NSEC record and will synthesise a negative response if there isn’t a cached positive entry between the looked up name and loans. The IETF decided to not make a delegation at .local to break the chain of trust. Mark > On 26 Jul 2019, at 7:10 am, Evan Hunt <[email protected]> wrote: > > On Thu, Jul 25, 2019 at 09:03:26PM +0000, Evan Hunt wrote: >> In 9.11, no. In 9.14, you can use "validate-except { local; };" > > (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation > on a given domain, but negative trust anchors expire after a while, so you > have to keep doing it over and over. You could sign the ".local" zone and > distribute a trust anchor for it to all of your internal resolvers. So, I > shouldn't have said "no". But the simple fire-and-forget method that you > seemed to be looking for was not introduced until 9.14.) > > -- > Evan Hunt -- [email protected] > Internet Systems Consortium, Inc. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
