"chase DS servers" while setting up a Split-DNS-Server with static-stub

Tony Finch dot at dotat.at
Tue Feb 14 12:16:48 UTC 2017


Johannes Kastl <mail at ojkastl.de> wrote:
>
> client 192.168.99.2#22059 (ojkastl.de): query (cache) 'ojkastl.de/DS/IN' denied
>
> Is this actually something to worry about?

It's annoying but benign. The recursive server is sending DS queries to
the wrong server, to the child zone's server (from the static-stub
configuration) rather than the parent zone's servers. However it recovers
from this mistake so everything works, apart from the wasted query.

(see also https://tools.ietf.org/html/rfc3658#section-2.2.1.2
for fun edge cases resolving DS records)

> When using a forward-type zone I got lots of additional NS records for
> de (nic.de etc.) in my dig tests, so I tried the static stub.

For a "forward" zone, BIND acts as a recursive client, and expects the
target server to be a recursive server. This mostly becomes important if
there are delegations from the zone.

For a static-stub zone, BIND is an iterative client as usual, so it
expects the target server to be an authoritative server. The static-stub
configuration in effect overrides the zone's NS records.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Fitzroy: Southerly or southwesterly 5 to 7 decreasing 3 or 4, occasionally 5
later in west. Moderate or rough. Rain or showers. Moderate or good.


More information about the bind-users mailing list