Problems with caching server that forwards to an internal split-brain authoritative server
Joseph L. Casale
jcasale at gmail.com
Fri Mar 11 01:16:21 UTC 2022
I am trying to replicate a working configuration on an older host
that has a caching server that forwards to an Active Directory DNS
server at 172.18.0.2 that is part of a split-brain setup with a public
copy of its zone hosted with Goggle.
When I attempt to resolve a record on the new caching server, it works
fine only if the record is not part of the zone hosted by the Active
Directory
server. For example, `dig lists.isc.org` works fine.
When I attempt to resolve a record in the zone hosted on the forwarder, it
fails with SERVFAIL and I get the following errors in the logs:
named[1158]: chase DS servers resolving 'example.com/DS/IN': 172.18.0.2#53
named[1158]: no valid DS resolving 'name.example.com/A/IN': 172.18.0.2#53
The configuration I am using is shown below, any ideas as to what I am
overlooking?
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; };
recursion yes;
forward only;
forwarders {
172.18.0.2;
};
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220310/5e59bcee/attachment.htm>
More information about the bind-users
mailing list