<div dir="ltr">err: a typo in the last email `s/enable/disable/`</div><div class="gmail_extra"><br><div class="gmail_quote">On 20 November 2017 at 14:45, Ivan Kurnosov <span dir="ltr"><<a href="mailto:zerkms@zerkms.ru" target="_blank">zerkms@zerkms.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Found it. It's caused by `dnssec`. If I enable it - the root servers are not being touched.<div><br></div><div>Then the question is - can I still have `dnssec` and somehow internet-availability-tolerant configuration?</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 20 November 2017 at 14:36, Ivan Kurnosov <span dir="ltr"><<a href="mailto:zerkms@zerkms.ru" target="_blank">zerkms@zerkms.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm having a really simple recursive DNS for a small office, that has a forwarded zone (being resolved by another local server).<div><br></div><div>The config looks like</div><div><br></div><div><pre style="margin-top:0px;margin-bottom:1em;padding:5px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:13px;line-height:inherit;font-family:Consolas,Menlo,Monaco,"Lucida Console","Liberation Mono","DejaVu Sans Mono","Bitstream Vera Sans Mono","Courier New",monospace,sans-serif;vertical-align:baseline;width:auto;max-height:600px;overflow:auto;background-color:rgb(239,240,241);word-wrap:normal;color:rgb(36,39,41)"><code style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:Consolas,Menlo,Monaco,"Lucida Console","Liberation Mono","DejaVu Sans Mono","Bitstream Vera Sans Mono","Courier New",monospace,sans-serif;vertical-align:baseline;white-space:inherit">options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { none; };
recursion yes;
allow-query { any; };
allow-transfer { none; };
};
zone "<a href="http://internal.companyname.co.nz" target="_blank">internal.companyname.co.nz</a>" {
type forward;
forward only;
forwarders {
192.168.1.x;
192.168.1.y;
};
};</code></pre><div><br></div><div>The problem I am observing is that even if I resolve a name within `<a href="http://internal.companyname.co.nz" target="_blank">internal.companyname.co.nz</a>` the bind still tries to contact the root servers, .nz. and .<a href="http://co.nz" target="_blank">co.nz</a>. servers as well.</div><div><br></div><div>And if at that point the internet is not available for the machine - the response fails, even though it's the forwarded to another local server zone.</div><div><br></div><div>On this screenshot there are the packets I captured that are being sent to the internet </div><div><br></div><div><a href="https://i.stack.imgur.com/TphcP.png" target="_blank">https://i.stack.imgur.com/Tphc<wbr>P.png</a><br></div><div><br></div><div>I also asked this question at <a href="https://serverfault.com/q/884196/45086" target="_blank">https://serverfault.com/q/8<wbr>84196/45086</a></div><div><br></div><div>So the question is: what do I else need to do to make this server not recurse for the forwarded-only zone?</div><span class="m_7348806171449603209HOEnZb"><font color="#888888"><div><br></div>-- <br><div class="m_7348806171449603209m_-3088345023805569651gmail_signature">With best regards, Ivan Kurnosov</div>
</font></span></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_7348806171449603209gmail_signature" data-smartmail="gmail_signature">With best regards, Ivan Kurnosov</div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">With best regards, Ivan Kurnosov</div>
</div>