Forward zone for private TLD doesn't work with DNSsec validation

Question

Forward zone for private TLD doesn't work with DNSsec validation

Opened this issue 9 years ago · 2 comments

The default values for the bind class configure a server with DNSsec enabled and validation enabled. This causes ServFail responses in forward zones for private TLDs due to the lack of proper delegation from the root zone.

Answer 1 · 2015-10-13T11:05:35.000Z

Hmm. I think this should be documented, but not sure about changing the defaults. Any suggestions @nprbsg ?

Answer 2 · 2016-02-09T19:07:04.000Z

Not an issue of this module, imho, rather a limitation of your setup. Ways around this (without deactivating DNSSEC):

slave the private zone locally
sign the private zone and install key as trust anchor in local recursor
host the private TLD locally and delegate the actual zone to localhost (which then forwards)