Hi Crist.
Firstly, DNS servers do not make recursive queries, unless they have been
configured to forward.
Secondly, please start a packet capture on your server (save to disc, so
you can analyse it later in Wireshark) then start BIND and make some test
queries to your server. Look at what your
Thanks so much for the response.
This machine does not have any reasons to do recursive queries to
the Internet, and it is not allowed in the firewall.
Looks like the article quoted is the guidance I was looking for. This
server has "notify no", AND all of the name servers are in the
Also authoritative servers lookup information. This includes addresses of
nameservers to send NOTIFY messages. DS queries as part of DNSSEC key
management. DNSKEY queries as part of DNSSEC trust anchor management. Plus
whatever else is required to resolve those queries.
--
Mark Andrews
>
Hi cjc.
My answers would be:
- Leave `dnssec-validation` alone (auto) and ensure your server has a path
to the Internet to make queries.
- Don't mess with root hints. The only time anyone should need to do this
is when running a completely captive server living in a custom namespace
that is NOT
I am upgrading and redeploying some authoritative-only BIND servers. Two
questions about some fine points:
What to set 'dnssec-validation'? Just let it default to 'auto?' There is no
need or opportunity for an authoritative-only server to validate (right?).
Should we actively switch it off, set
5 matches
Mail list logo
