d7a9a0bc31a6089aa02b6fb312eff6d52436174c
services/dns/Configuration.md
| ... | ... | @@ -48,10 +48,38 @@ zone "d.f.ip6.arpa" { |
| 48 | 48 | type forward; |
| 49 | 49 | forwarders { 172.20.0.53; fd42:d42:d42:54::1; }; |
| 50 | 50 | }; |
| 51 | + |
|
| 52 | +# for reverse dns to work the following option must be set: |
|
| 53 | +options { |
|
| 54 | + # [...] |
|
| 55 | + |
|
| 56 | + # disable the integrated handling of RFC1918 and non-assigned IPv6 space reverse dns |
|
| 57 | + empty-zones-enable no; |
|
| 58 | + |
|
| 59 | + # [...] |
|
| 60 | +}; |
|
| 51 | 61 | ``` |
| 52 | 62 | |
| 53 | 63 | **Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`. |
| 54 | 64 | |
| 65 | +To disable DNSSEC validation only for certain TLDs include the following in the options section: |
|
| 66 | +``` |
|
| 67 | +options { |
|
| 68 | + # [...] |
|
| 69 | + |
|
| 70 | + validate-except { |
|
| 71 | + "dn42"; |
|
| 72 | + "20.172.in-addr.arpa"; |
|
| 73 | + "21.172.in-addr.arpa"; |
|
| 74 | + "22.172.in-addr.arpa"; |
|
| 75 | + "23.172.in-addr.arpa"; |
|
| 76 | + "d.f.ip6.arpa"; |
|
| 77 | + }; |
|
| 78 | + |
|
| 79 | + # [...] |
|
| 80 | +}; |
|
| 81 | +``` |
|
| 82 | + |
|
| 55 | 83 | ## dnsmasq |
| 56 | 84 | |
| 57 | 85 | If you are running dnsmasq under openwrt, you just have to add |