Moving from "type forward" to "type static-stub"
Michael Sinatra
michael at rancid.berkeley.edu
Fri Sep 21 17:53:28 UTC 2012
On 9/20/12 5:49 PM, Oscar Ricardo Silva wrote:
> If I'm correct, it will send non-recursive queries to the listed servers
> and will honor delegations. I've tested this configuration in our lab
> and it all appears to be working.
Yup, static stub will do exactly that.
> With our configuration, are there any downsides to changing from forward
> zones to static-stub? Any gotchas I should know about?
I am pretty sure that the recursive server will still cache the entries
it receives from the static-stub server. If your goal is for
"instantaneous" updates on your recursives when your authoritatives get
update, I don't think it will work as well as just slaving the zones.
If the goal is for the recursives to see an internal view of the zones,
then static-stub will work great.
> At this time we
> don't have dnssec validation turned on. We tried it and had too many
> problems with misconfigured domains not resolving properly so backed out.
It's time to back in again (front in?). Now that Comcast is validating,
any mistakes that people make will get fixed right quick. 1.7 million
people doing validation is good incentive to get things right and fix
them quickly. At UC Berkeley, validation has been turned on for four
years now and only a handful of domains have required "special handling."
All of the emphasis on signing for DNSSEC is great, but DNSSEC can't
really work without validation.
michael
More information about the bind-users
mailing list