I have looked into Bind's negative trust anchor implementation. Seems like in Bind, this option cannot be specified to more than 1 week. After 1 week the negative trust will be removed.
https://ftp.isc.org/isc/bind/9.11.0a1/doc/arm/man.rndc.html *nta [( -d | -f | -r | -l duration)] domain [view]* Sets a DNSSEC negative trust anchor (NTA) for domain, with a lifetime of duration. The default lifetime is configured in named.conf via the nta-lifetime option, and defaults to one hour. The lifetime cannot exceed one week. A negative trust anchor selectively disables DNSSEC validation for zones that are known to be failing because of misconfiguration rather than an attack. When data to be validated is at or below an active NTA (and above any other configured trust anchors), *named* will abort the DNSSEC validation process and treat the data as insecure rather than bogus. This continues until the NTA's lifetime is elapsed. NTAs persist across restarts of the *named* server. The NTAs for a view are saved in a file called *name*.nta, where *name* is the name of the view, or if it contains characters that are incompatible with use as a file name, a cryptographic hash generated from the name of the view. An existing NTA can be removed by using the -remove option. An NTA's lifetime can be specified with the -lifetime option. TTL-style suffixes can be used to specify the lifetime in seconds, minutes, or hours. If the specified NTA already exists, its lifetime will be updated to the new value. Setting lifetime to zero is equivalent to -remove. If -dump is used, any other arguments are ignored, and a list of existing NTAs is printed (note that this may include NTAs that are expired but have not yet been cleaned up). Normally, *named* will periodically test to see whether data below an NTA can now be validated (see the nta-recheck option in the Administrator Reference Manual for details). If data can be validated, then the NTA is regarded as no longer necessary, and will be allowed to expire early. The -force overrides this behavior and forces an NTA to persist for its entire lifetime, regardless of whether data could be validated if the NTA were not present. All of these options can be shortened, i.e., to -l, -r, -d, and -f. Is there a "correct" way of implementing this "trust" between the servers? DNSSEC keys sharing or something? Thanks. On Thu, Apr 18, 2019 at 4:35 PM Brian Candler <b.cand...@pobox.com> wrote: > On 18/04/2019 09:23, abubin wrote: > > However, due to DNSSEC it is not resolving the zone. It will work if I > > disable DNSSEC in bind. > > You need to create a Negative Trust Anchor in your recursor for the > domain you are forwarding. > > If you were using powerdns recursor, the instructions are here: > > https://doc.powerdns.com/recursor/settings.html#forward-zones > > Since you're using a bind recursor, just google for "bind negative trust > anchor". > >
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
