inline-signing a zone that exists in two views

Bob Harold rharolde at
Fri May 19 13:06:49 UTC 2017

On Fri, May 19, 2017 at 8:56 AM, Matus UHLAR - fantomas <uhlar at>

> Gordon Messmer <gordon.messmer at> wrote:
>>> > Is it considered best-practice (or just normal) for authoritative
>>> > servers to just not use the local server for resolution?
> On Wed, May 10, 2017 at 5:56 AM, Tony Finch <dot at> wrote:
>>> Mine don't :-)
> On 18.05.17 16:38, Bob Harold wrote:
>> My authoritative servers are non-recursive.  They use the same DNS
>> resolvers that any other server uses, and not themselves.
> this configuration will make your recursive servers provide correct data
> when your customers move their domains out without telling you so (which
> happend quite often)...
> --
> Matus UHLAR - fantomas, uhlar at ;

Very true, and I use that fact when I know a zone is in transition.  But
most of the time I have stealth slave copies (meaning not listed in NS
records) on my resolvers.
That is more complicated, and has the problem you mention, which happens
But it has some advantages:
Updates reaching my users more quickly, no waiting for cache timeout on the
resolvers (there are still other caches, but it helps)
Cache poisoning attacks don't work against my zones on my resolvers, since
they are authoritative and not cached.

I hope sometime to automate monitoring for zones moving without warning me
in advance.

Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list