Authoritative internal server - how do I get rid of...

Kevin Darcy kcd at chrysler.com
Tue May 21 22:49:27 UTC 2013 

The rule of thumb is: BIND instances need access to a root zone. Either
a) you forward for it, or
b) you are authoritative (master or slave) for it, or
c) you're set up as a "stub" for it,
d) you prime it via the contents of an explicitly-configured "hints" 
zone, or
e) you use the compiled-in Internet root hints to prime

Currently you're exercising option (e), but that doesn't work out too 
well, since you're isolated from the Internet root. Your instance is 
constantly trying to query unreachable nameservers.

So, pick one of the other options and go with it. If no-one else on your 
isolated network happens to be serving an internal root zone that you 
can lunch off, then your only real option is (b), where you are the 
master of your own root zone. Then, you can impress all of your friends 
by offering to let them lunch off you...

                             - Kevin

On 5/21/2013 9:42 AM, Elmar K. Bins wrote:
> Re Mark,
>
> thanks for your answer (and good morning!),
>
> marka at isc.org (Mark Andrews) wrote:
>
>
>>> Recursion is off, and the root hints file has been removed from the local
>>> zone config. No effect.
>> Authoritative nameservers still need to lookup address of nameservers
>> to send NOTIFY messages.  The message you see are as a result of
>> the nameserver doing these lookups.
> Oh, I forgot to mention that all master zones have "notify explicit;" set.
> (Is there a global setting for that?)
>
> So in theory they should not bother looking up root stuff.
>
>> Additionally you have DNSSEC validation and/or managed keys for the
>> root enabled.
> Err...by default? How do I switch this off?
>
> These BIND servers are really strictly internal, no outside routing, no
> forwarders, they are being used for loading, auto-signing and then
> serving-to-internal-slaves a handful of master zones, everything based on
> local info. They can't look anything up and yet they work. So well...maybe
> those lookups are really not needed?
>
> Cheers,
> 	Elmar.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>

More information about the bind-users mailing list