[dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses
Carlos Vicente
cvicente.lists at gmail.com
Fri May 20 04:34:12 UTC 2011
Hi all,
> If you're saying that you shouldn't *offer* recursive and authoritative
> services on the same box, then I generally agree. If you're saying that you
> shouldn't ever prime your cache with a zone, or have a recursive server be a
> slave to anything, then I'd say it gets kind of hairy there.
>
>
And just for the record, our publicly visible authoritative servers do not
serve recursive queries.
> A number of us have been doing that sort of thing for years, and there
> isn't really a way of getting certain zones to update quickly in a recursive
> server without really short TTLs, unless you do zone transfers. I bet
> Carlos's users demand this capability just as my users did when I worked on
> a university campus.
>
>
That's correct, and we've also being operating like that for some years now.
>
> You will particularly run into problems if you ever intend to do
>> DNSSEC validation on these name servers.. it just won't work.
>>
>
> Yes. In that case, static-stub or forwarding is your friend. Although, we
> should be clear: It won't work on the zones that are slaved by the recursive
> server. Presumably one is protecting those zones some other way (TSIG,
> SIG(0)). It *will* (and does) work for signed zones for which the recursor
> is not authoritative.
>
>
That's news to me. What's the failure mode? Does the server return
SERVFAIL, or does it not set the AD flag, or...?
Thanks,
cv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110519/85ebc112/attachment.html>
More information about the bind-users
mailing list