Can we provide recursion for forward zones in response to iterative queries?
clists at buxtonfamily.us
Mon Apr 6 15:37:32 UTC 2020
On Apr 3, 2020, at 9:06 AM, bind-lists at iano.org wrote:
> Because the AD domain controllers already own 10.in-addr.arpa, they refuse to allow us to configure conditional forwarding for its subdomains. So we delegated the subdomains to the inbound endpoints. Because they are delegations, the domain controllers set the recursion desired flag to 0 on the queries they send to the endpoints, and we are not getting replies from the endpoints.
> As a workaround we tried delegating to our linux bind caching resolvers but we ran into the same issue, that the domain controllers set recursion desired to 0. As a result, when our linux caching servers have the result in cache, the lookup is successful, but when it would require a fresh lookup it gets a reply with no answers. Hence my question, is there a way to tell our bind caching resolvers to ignore the recursion desired flag and provide recursion anyway?
I've solved this before. You've tried two solutions, and neither worked alone. You need to do both.
- Delegate the subzones in question to the forwarders (or anywhere, really).
- Add conditional forwarding for the subzones also, pointing to the forwarders.
Without the delegation, the conditional forwarding won't work -- the MS DNS servers will respond authoritatively. But without the conditional forwarding, the MS DNS servers will send iterative queries, not recursive queries.
More information about the bind-users