Better solution than making a recursive nameserver authoritative?

Matus UHLAR - fantomas uhlar at
Wed Jun 29 11:29:28 UTC 2011

On 24.06.11 13:39, David Coulthart wrote:
>Currently the two recursive caching nameservers for clients on our 
> network are also authoritative for a few zones.  In particular, they 
> are authoritative for:
>1) our main forward zone ( in order to provide an 
>   internal view of the zone
>2) RFC 1918 reverse zones (e.g.,

Then they do exactly what internal nameservers are supposed to do.

> I would like to follow best practices by separating authoritative & 
> recursive functionality. 

The practice comes out of the need to provide correct DNS data in case 
you have configured a zone that is not anymore delegated to your server 
and is obsolete.

This practice appears not to apply for your company's main domain, 
unless you loose it and someone else claims it.

Especially if it's your internal version.

Therefore, I see no need for you to configure new server for those 
zones, you seem to have exactly what you need.

> Also, when I sign these zones, I would like the recursive nameservers 
> to respond with the AD bit set instead of AA.

I don't see any reason why you should sign the internal and rfc1918 
(and probably rfc5735) zones. What is the point of wanting this?
Matus UHLAR - fantomas, uhlar at ;
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler

More information about the bind-users mailing list