"chase DS servers" while setting up a Split-DNS-Server with static-stub
Tony Finch
dot at dotat.at
Tue Feb 14 12:16:48 UTC 2017
Johannes Kastl <mail at ojkastl.de> wrote:
>
> client 192.168.99.2#22059 (ojkastl.de): query (cache) 'ojkastl.de/DS/IN' denied
>
> Is this actually something to worry about?
It's annoying but benign. The recursive server is sending DS queries to
the wrong server, to the child zone's server (from the static-stub
configuration) rather than the parent zone's servers. However it recovers
from this mistake so everything works, apart from the wasted query.
(see also https://tools.ietf.org/html/rfc3658#section-2.2.1.2
for fun edge cases resolving DS records)
> When using a forward-type zone I got lots of additional NS records for
> de (nic.de etc.) in my dig tests, so I tried the static stub.
For a "forward" zone, BIND acts as a recursive client, and expects the
target server to be a recursive server. This mostly becomes important if
there are delegations from the zone.
For a static-stub zone, BIND is an iterative client as usual, so it
expects the target server to be an authoritative server. The static-stub
configuration in effect overrides the zone's NS records.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fitzroy: Southerly or southwesterly 5 to 7 decreasing 3 or 4, occasionally 5
later in west. Moderate or rough. Rain or showers. Moderate or good.
More information about the bind-users
mailing list