DNSSEC and forwarding
Duchscher, Dave J
dd at tamu.edu
Wed Apr 13 15:02:19 UTC 2022
> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
>
> This Message Is From an External Sender
> This message came from outside your organization.
> On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote:
> > We are dropping this configuration and looking at doing something else.
>
> I'm sorry to hear that.
>
> > We have had intermittent issues with Slack, Microsoft, and a growing
> > list of domains. Even have one that consistently fails.
>
> Are you able to share any specific details / examples so that others can
> see an example of what to loo out for?
Sure.
Just to clear, the setup looks like this:
Internal DNS --> DMZ DNS Cache -> World
Internal DNS is forward only. Only internal DNS allowed on the DNS
cache systems. DNSSEC validation can be enabled or disabled on the
cache systems since named always sets the check disabled flag when
forwarding. This also means that you can't forward to an upstream
DNS system and have it do the DNSSEC validation. Wish there was a
way to turn this off or if it would only set the check disabled
flag when DNSSEC validation is enabled.
Failures mode is that everything looks to work and then a domain
will stop resolving. Sometimes we get timeouts, sometimes SERVFAIL,
and other times NXDOMAIN.
On a test setup with fresh restart, these domains always fail.
cybr.club
am-explorer.com
simutext.com
simutext2.com
These domains fail randomly and we have not been able to produce
the failure.
a.slack-edge.com
portal.azure.com
rex-sftp.bncollege.com
There is also our teams and sharepoint domains but rather not put
them here.
I hope this helps. Needless to say, it has been a frustration
situation.
--
Dave
More information about the bind-users
mailing list