Re: DNSSEC Error Log - named[4132]: managed-keys-zone/“externals”: Unable to fetch DNSKEY set '.': timed out
Tony Finch
dot at dotat.at
Mon Aug 5 14:21:02 UTC 2019
LeBlanc, Daniel James <daniel.leblanc at bellaliant.ca> wrote:
>
> This is occurring only on my authoritative servers and only for the view
> that I do not have recursion enabled for (the “externals” view; the
> “internals” view has recursion enabled and it is working).
It's curious that trust anchor maintenance works for one view but not the
other. Do you have query-source settings and packet filters that would
affect one view but not the other?
Authoritative servers do perform outgoing queries to resolve NS records
for sending notifies, and that is why your "externals" view is trying to
do things that you might think are just for recursive service. In most
cases you should make sure all BIND servers can do root priming and trust
anchor maintenance.
A tangential question of my own... I have deliberately kept our recursive
and authoritative servers separate. Partly this is to stop attack traffic
aimed at our auth servers from affecting recursive service. And partly to
stop myself from getting too clever with views (it is a wicked
temptation). The downside is having more kinds of servers to maintain. On
the gripping hand I'm thinking of separating auth service from xfer
service. The xfer IP addresses get wired into lots of other people's
configurations, whereas I would like more agility in how our auth service
is provisioned. I'm wonder how others balance these tradeoffs?
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Viking, North Utsire, South Utsire: Southeasterly, becoming cyclonic 2 to 4,
occasionally 5 in Viking. Smooth or slight. Rain or thundery showers. Good
occasionally poor.
More information about the bind-users
mailing list