2461 
0
Recently had an issue when setting up a conditional forwarder zone from NIOS (8.6.2) DNS appliance, forwarding to a Microsoft DNS server.
One forwarder zone would not resolve (others worked fine) - and the problem zone was a '.local' zone.
Queries to the NIOS DNS server returned a servfail, with dig includeing a message about "local is reserved for multicast dns".
In the NIOS syslog, it had error messages like: insecurity proof failed resolving local
This last error message led me to DNSSEC validation, and turning validation OFF in the NIOS DNS configuration "fixed the issue" - queries now resolved!
Is this really the fix or workaround for forwarding .local queries? Anything else worth trying?
In general, I know .local should not be used in this instance, and for sure it's not a good idea to create an AD domain as .local. But, I can't go back 10 years or so and get the AD guys to change it. Or suggest the proper fix is to migrate AD away from .local now. 
Thanks!
2461 0
Negative Trust Anchor is the way to 'fix' this, without having to disable DNSSEC validation totally.
Added the abc.local zone name as a NTA and all is still working. 
2462 0
