Authoritative internal server - how do I get rid of...

Elmar K. Bins elmi at
Tue May 21 13:42:14 UTC 2013

Re Mark,

thanks for your answer (and good morning!),

marka at (Mark Andrews) wrote:

> > Recursion is off, and the root hints file has been removed from the local
> > zone config. No effect.
> Authoritative nameservers still need to lookup address of nameservers
> to send NOTIFY messages.  The message you see are as a result of
> the nameserver doing these lookups.

Oh, I forgot to mention that all master zones have "notify explicit;" set.
(Is there a global setting for that?)

So in theory they should not bother looking up root stuff.

> Additionally you have DNSSEC validation and/or managed keys for the
> root enabled. default? How do I switch this off?

These BIND servers are really strictly internal, no outside routing, no
forwarders, they are being used for loading, auto-signing and then
serving-to-internal-slaves a handful of master zones, everything based on
local info. They can't look anything up and yet they work. So well...maybe
those lookups are really not needed?


More information about the bind-users mailing list