DNSSEC and split DNS
Mark Andrews
marka at isc.org
Mon Oct 28 20:46:52 UTC 2013
In message <526EBA87.7040602 at networktest.com>, David Newman writes:
>
> > 3. Another internal nameserver gets intermittent dig +dnssec errors on
> > queries for internal resources. Sometimes after a restart, the result is
> > NOERROR and other times it's NXDOMAIN or SERVFAIL.
Inconsistant use of views. The NOERROR will probably be coming
from a the internal view and the NXDOMAIN from the external view
(or the other way around).
As for SERVFAIL you may have badly configured firewalls that are
dropping fragmented responses, or responses > 512 bytes resulting
in excessive timeouts and excessive use of TCP. This is more visible
in a newly started server.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list