[dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses
Michael Sinatra
michael at rancid.berkeley.edu
Fri May 20 01:58:47 UTC 2011
Hi Matt:
On 05/19/11 17:08, Matthew Pounsett wrote:
>
> While it's possible you have encountered a bug with BIND, it's
> generally a bad idea to mix recursive and authoritative service in
> the same process. The RFCs that define the resolution algorithms were
> never written with mixed service in mind, and there are conflicts
> that can result in undefined, and therefore unpredictable,
> behaviours. It will be hard to determine which you're seeing
> without more specific information about the configuration of the
> servers in question (e.g. which zones they're actually authoritative
> for).
If you're saying that you shouldn't *offer* recursive and authoritative
services on the same box, then I generally agree. If you're saying that
you shouldn't ever prime your cache with a zone, or have a recursive
server be a slave to anything, then I'd say it gets kind of hairy there.
A number of us have been doing that sort of thing for years, and there
isn't really a way of getting certain zones to update quickly in a
recursive server without really short TTLs, unless you do zone
transfers. I bet Carlos's users demand this capability just as my users
did when I worked on a university campus.
Moreover, the recommended RPZ configuration as of BIND 9.8.0 is to have
your recursive servers slave your RPZ zone, so your recursives will have
to slave something if they run RPZ.
> You will particularly run into problems if you ever intend to do
> DNSSEC validation on these name servers.. it just won't work.
Yes. In that case, static-stub or forwarding is your friend. Although,
we should be clear: It won't work on the zones that are slaved by the
recursive server. Presumably one is protecting those zones some other
way (TSIG, SIG(0)). It *will* (and does) work for signed zones for
which the recursor is not authoritative.
> I maintained the cross-posting for this reply because of the general
> DNS service advice, but my suggestion would be to limit the thread to
> the bind-users until you identify or rule-out a bug.
Duly trimmed.
michael
More information about the bind-users
mailing list