Right, it looks a bit dirty but makes sense. Thanks. On 20 November 2017 at 15:13, Mark Andrews <ma...@isc.org> wrote:
> The simplest way is to slave the zone. Named won’t attempt to validate > zone > content it serves. If you have other applications that validate zone > content > sign your own zone and distribute trust anchors for them. > > Mark > > On 20 Nov 2017, at 12:45 pm, Ivan Kurnosov <zer...@zerkms.ru> wrote: > > > > > > Found it. It's caused by `dnssec`. If I enable it - the root servers are > not being touched. > > > > Then the question is - can I still have `dnssec` and somehow > internet-availability-tolerant configuration? > > > > On 20 November 2017 at 14:36, Ivan Kurnosov <zer...@zerkms.ru> wrote: > > I'm having a really simple recursive DNS for a small office, that has a > forwarded zone (being resolved by another local server). > > > > The config looks like > > > > options { > > directory "/var/cache/bind"; > > > > dnssec-validation auto; > > > > auth-nxdomain no; > > listen-on-v6 { none; }; > > > > recursion yes; > > allow-query { any; }; > > > > allow-transfer { none; }; > > }; > > > > > > zone " > > internal.companyname.co.nz > > " { > > type forward; > > forward only; > > forwarders { > > 192.168.1.x; > > 192.168.1.y; > > }; > > }; > > > > > > The problem I am observing is that even if I resolve a name within ` > internal.companyname.co.nz` the bind still tries to contact the root > servers, .nz. and .co.nz. servers as well. > > > > And if at that point the internet is not available for the machine - the > response fails, even though it's the forwarded to another local server zone. > > > > On this screenshot there are the packets I captured that are being sent > to the internet > > > > https://i.stack.imgur.com/TphcP.png > > > > I also asked this question at https://serverfault.com/q/884196/45086 > > > > So the question is: what do I else need to do to make this server not > recurse for the forwarded-only zone? > > > > -- > > With best regards, Ivan Kurnosov > > > > > > > > -- > > With best regards, Ivan Kurnosov > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > -- With best regards, Ivan Kurnosov
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users