And if the stubs are validating then the answer for 10.in-addr.arpa DS is a provable NOERROR NODATA response that says there is a delegation at that point in the tree. That validator does NOT need to be configured to say ‘DO NOT VALIDATE THIS NAMESPACE’.
With internal DS the validator gets back a provable NXDOMAIN so it won’t accept any answer a local recursive server gives for names ending in .internal it but a provable NXDOMAIN. You can see this behaviour using a validating recursive server configured to forward all queries to a local recursive server with a .internal zone. Or one can use the delv tool from BIND pointing it at a recursive server with a .internal zone. Mark -- Mark Andrews > On 18 Jun 2025, at 03:19, John Levine <[email protected]> wrote: > > It appears that Petr Å paÄ ek <[email protected]> said: > w>> I dunno about you, but on all the systems I use the local cache > substitutes >>> a stub for 10.in-addr.arpa so it doesn't matter what the global DNS says. >> Have you used a Linux system recently? glibc does not do that and few >> distros some with full-fledged DNS recursor on host by default. > > I point all my stubs at unbound which by default has a special case for > 10.in-addr.arpa. > You can override if it you want. > > R's, > John > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
