Right, it looks a bit dirty but makes sense. Thanks.
On 20 November 2017 at 15:13, Mark Andrews <ma...@isc.org> wrote:
> The simplest way is to slave the zone. Named won’t attempt to validate
> zone
> content it serves. If you have other applications that validate zone
> content
> sign your own zone and distribute trust anchors for them.
>
> Mark
>
> On 20 Nov 2017, at 12:45 pm, Ivan Kurnosov <zer...@zerkms.ru> wrote:
> >
> >
> > Found it. It's caused by `dnssec`. If I enable it - the root servers are
> not being touched.
> >
> > Then the question is - can I still have `dnssec` and somehow
> internet-availability-tolerant configuration?
> >
> > On 20 November 2017 at 14:36, Ivan Kurnosov <zer...@zerkms.ru> wrote:
> > I'm having a really simple recursive DNS for a small office, that has a
> forwarded zone (being resolved by another local server).
> >
> > The config looks like
> >
> > options {
> > directory "/var/cache/bind";
> >
> > dnssec-validation auto;
> >
> > auth-nxdomain no;
> > listen-on-v6 { none; };
> >
> > recursion yes;
> > allow-query { any; };
> >
> > allow-transfer { none; };
> > };
> >
> >
> > zone "
> > internal.companyname.co.nz
> > " {
> > type forward;
> > forward only;
> > forwarders {
> > 192.168.1.x;
> > 192.168.1.y;
> > };
> > };
> >
> >
> > The problem I am observing is that even if I resolve a name within `
> internal.companyname.co.nz` the bind still tries to contact the root
> servers, .nz. and .co.nz. servers as well.
> >
> > And if at that point the internet is not available for the machine - the
> response fails, even though it's the forwarded to another local server zone.
> >
> > On this screenshot there are the packets I captured that are being sent
> to the internet
> >
> > https://i.stack.imgur.com/TphcP.png
> >
> > I also asked this question at https://serverfault.com/q/884196/45086
> >
> > So the question is: what do I else need to do to make this server not
> recurse for the forwarded-only zone?
> >
> > --
> > With best regards, Ivan Kurnosov
> >
> >
> >
> > --
> > With best regards, Ivan Kurnosov
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
>
--
With best regards, Ivan Kurnosov
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
