bind9 using forwarders

I installed bind9 at localhost so that I could setup forwarders for our LAN dns servers + for my Unix dns servers in DMZ ( I don’t have access to configure the LAN dns server, which would be a better option) . I setup something like this in /etc/bind/named.conf.local (Debian type of distro):

zone "windows.domain.servers." IN {
   type forward;
   forward only;
   forwarders { 10.0.0.1; 10.0.0.2; };
};

zone "unix.dmz.servers." IN {
   type forward;
   forward only;
   forwarders { 192.168.0.1; };
};

domain names and forward ip’s has been changed .
With this setup, I could configure my workstation to use localhost for dns queries, and tell /etc/resolv.conf to search for both the domains I want regular access to without typing the fqdn .
But there was a problem getting answers from my unix dns server in DMZ, /var/log/syslog told me something like:

Nov 15 09:27:07 uranus named[8184]:   validating @0x7f94784dgd70: unix.dmz SOA: got insecure response; parent indicates it should be secure
Nov 15 09:27:07 uranus named[8184]: error (no valid RRSIG) resolving 'lb01.unix.dmz.servers/DS/IN': 192.168.0.1#53
Nov 15 09:27:07 uranus named[8184]: error (no valid DS) resolving 'lb01.unix.dmz.servers/A/IN': 192.168.0.1#53

Since I haven’t got time to debug this stuff in detail, I simply edited /etc/bind/named.conf.options and setup

dnssec-validation no;

And my localhost bind9 could resolv stuff from our DMZ
Thnx isc.org and
groups.google.com

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.