[dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses

Carlos Vicente cvicente.lists at gmail.com
Fri May 20 04:35:03 UTC 2011

Hi all,

> If you're saying that you shouldn't *offer* recursive and authoritative
> services on the same box, then I generally agree.  If you're saying that you
> shouldn't ever prime your cache with a zone, or have a recursive server be a
> slave to anything, then I'd say it gets kind of hairy there.

And just for the record, our publicly visible authoritative servers do not
serve recursive queries.

> A number of us have been doing that sort of thing for years, and there
> isn't really a way of getting certain zones to update quickly in a recursive
> server without really short TTLs, unless you do zone transfers.  I bet
> Carlos's users demand this capability just as my users did when I worked on
> a university campus.

That's correct, and we've also being operating like that for some years now.

>  You will particularly run into problems if you ever intend to do
>> DNSSEC validation on these name servers.. it just won't work.
> Yes.  In that case, static-stub or forwarding is your friend.  Although, we
> should be clear: It won't work on the zones that are slaved by the recursive
> server.  Presumably one is protecting those zones some other way (TSIG,
> SIG(0)).  It *will* (and does) work for signed zones for which the recursor
> is not authoritative.

That's news to me.  What's the failure mode? Does the server return
SERVFAIL, or does it not set the AD flag, or...?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110519/4c4d40d8/attachment.html>

More information about the bind-users mailing list