DNSSEC and split DNS
dnewman at networktest.com
Mon Oct 28 21:27:18 UTC 2013
On 10/28/13 1:46 PM, Mark Andrews wrote:
> In message <526EBA87.7040602 at networktest.com>, David Newman writes:
>>> 3. Another internal nameserver gets intermittent dig +dnssec errors on
>>> queries for internal resources. Sometimes after a restart, the result is
>>> NOERROR and other times it's NXDOMAIN or SERVFAIL.
> Inconsistant use of views. The NOERROR will probably be coming
> from a the internal view and the NXDOMAIN from the external view
> (or the other way around).
The underlying question is what forwarders to use, if any, on an
internal caching-only nameserver where DNSSEC and split DNS are in use.
In this case, per your guidance there are two versions of some zones,
with the internal version using delegation and the external not.
The only way I can think of is to allow recursion on authoritative
servers, but only from the caching-only servers, and put the
authoritative servers in their forwarders statement.
For all other clients, the only servers with recursion would be the
caching-only ones. And the authoritative servers would be the only ones
listed in the forwarders statement.
Or is there a better way to do this?
> As for SERVFAIL you may have badly configured firewalls that are
> dropping fragmented responses, or responses > 512 bytes resulting
> in excessive timeouts and excessive use of TCP. This is more visible
> in a newly started server.
More information about the bind-users