Bind 9.10.3: forwarded zone on a recursive server

Mark Andrews marka at isc.org
Mon Nov 20 02:13:09 UTC 2017


The simplest way is to slave the zone.  Named won’t attempt to validate zone
content it serves.  If you have other applications that validate zone content
sign your own zone and distribute trust anchors for them.

Mark

On 20 Nov 2017, at 12:45 pm, Ivan Kurnosov <zerkms at zerkms.ru> wrote:
> 
> 
> Found it. It's caused by `dnssec`. If I enable it - the root servers are not being touched.
> 
> Then the question is - can I still have `dnssec` and somehow internet-availability-tolerant configuration?
> 
> On 20 November 2017 at 14:36, Ivan Kurnosov <zerkms at zerkms.ru> wrote:
> I'm having a really simple recursive DNS for a small office, that has a forwarded zone (being resolved by another local server).
> 
> The config looks like
> 
> options {
>     directory "/var/cache/bind";
> 
>     dnssec-validation auto;
> 
>     auth-nxdomain no;
>     listen-on-v6 { none; };
> 
>     recursion yes;
>     allow-query { any; };
> 
>     allow-transfer { none; };
> };
> 
> 
> zone "
> internal.companyname.co.nz
> " {
>     type forward;
>     forward only;
>     forwarders {
>         192.168.1.x;
>         192.168.1.y;
>     };
> };
> 
> 
> The problem I am observing is that even if I resolve a name within `internal.companyname.co.nz` the bind still tries to contact the root servers, .nz. and .co.nz. servers as well.
> 
> And if at that point the internet is not available for the machine - the response fails, even though it's the forwarded to another local server zone.
> 
> On this screenshot there are the packets I captured that are being sent to the internet 
> 
> https://i.stack.imgur.com/TphcP.png
> 
> I also asked this question at https://serverfault.com/q/884196/45086
> 
> So the question is: what do I else need to do to make this server not recurse for the forwarded-only zone?
> 
> -- 
> With best regards, Ivan Kurnosov
> 
> 
> 
> -- 
> With best regards, Ivan Kurnosov
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the bind-users mailing list