Among numerous examples of folks running Bind9 in split-view mode similar to my config, I found this unanswered DNSSEC-related post,
"DNSSEC Validating Resolver and Views" https://lists.isc.org/pipermail/bind-users/2010-March/079166.html which seems, at least, similar to the issue I'm seeing, " ... This setup has been working for years but is now broken for clients querying from a guest network (via the guest view) unless the queries have checking disabled. ..." Checking with my server for apparently unsigned 'www.adobe.com', dig www.adobe.com ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12026 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.adobe.com. IN A ;; Query time: 24 msec ;; SERVER: 10.10.10.100#53(10.10.10.100) ;; WHEN: Mon May 9 13:53:29 2011 ;; MSG SIZE rcvd: 31 dig www.adobe.com +cd ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +cd ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50312 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.adobe.com. IN A ;; ANSWER SECTION: www.adobe.com. 3592 IN CNAME www.wip4.adobe.com. www.wip4.adobe.com. 30 IN A 192.150.16.60 ;; AUTHORITY SECTION: wip4.adobe.com. 3337 IN NS da1gtm001.adobe.com. wip4.adobe.com. 3337 IN NS 3dns-5.adobe.com. ;; Query time: 52 msec ;; SERVER: 10.10.10.100#53(10.10.10.100) ;; WHEN: Mon May 9 13:53:37 2011 ;; MSG SIZE rcvd: 115 shows, as in the referenced post, that checking an dnssec-unsigned domain @ resolver with dnssec-validation enabled returns DATA only if that validation is DISABLED. DCh _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users