[dns-operations] Bind 9.8.0 intermittent problem with non-recursive responses
cvicente.lists at gmail.com
Fri May 20 04:35:03 UTC 2011
> If you're saying that you shouldn't *offer* recursive and authoritative
> services on the same box, then I generally agree. If you're saying that you
> shouldn't ever prime your cache with a zone, or have a recursive server be a
> slave to anything, then I'd say it gets kind of hairy there.
And just for the record, our publicly visible authoritative servers do not
serve recursive queries.
> A number of us have been doing that sort of thing for years, and there
> isn't really a way of getting certain zones to update quickly in a recursive
> server without really short TTLs, unless you do zone transfers. I bet
> Carlos's users demand this capability just as my users did when I worked on
> a university campus.
That's correct, and we've also being operating like that for some years now.
> You will particularly run into problems if you ever intend to do
>> DNSSEC validation on these name servers.. it just won't work.
> Yes. In that case, static-stub or forwarding is your friend. Although, we
> should be clear: It won't work on the zones that are slaved by the recursive
> server. Presumably one is protecting those zones some other way (TSIG,
> SIG(0)). It *will* (and does) work for signed zones for which the recursor
> is not authoritative.
That's news to me. What's the failure mode? Does the server return
SERVFAIL, or does it not set the AD flag, or...?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users