named forwarding

[J.T. D]

I'm playing around with 25.01u4, but still use 24.01u13 operationally, so no harm/no foul.

It appears named was updated in 25.01 and now security is a bit tightened with upstream forwarding.

In 24.01, I could do OS level name resolution no problem with no alteration of conf files.

OOB on 25.01, this didn't work.  Eventually I tracked it down to an option I had to manually add to named.conf for dnssec validation.  My local DNS (on router) doesn't offer dnssec resolution, so named on sipxcom was rejecting the forwarding query: I couldn't run 'dnf update'...I'd receive an error about unable to resolve the names.  The local DNS is added as a Forwarder in sipxcom.

After a brief moment of research and trial and error, I added 'dnssec-validation no;' to named.conf, reloaded the service, and voila, I could resolve again.  (My router firmware doesn't support it...yet...otherwise I'd fix the root cause instead of apply this band-aid.)

My questions are:  I see I'll have to manually update named.conf until my router can support dnssec.  How often (or what action) will named.conf be rebuilt?  Is it just sending server profiles? Or are there other activities that might trigger a rebuild?

I do see the named.conf template in the code (named.erb).  I don't feel like anything needs to be added to the template (as this would promote less security by bypassing dnssec,) but I'd like to be aware of when the conf file gets updated so I can modify it.

Thanks!