On Apr 3, 2020, at 9:06 AM, bind-li...@iano.org wrote: > Because the AD domain controllers already own 10.in-addr.arpa, they refuse to > allow us to configure conditional forwarding for its subdomains. So we > delegated the subdomains to the inbound endpoints. Because they are > delegations, the domain controllers set the recursion desired flag to 0 on > the queries they send to the endpoints, and we are not getting replies from > the endpoints. > > As a workaround we tried delegating to our linux bind caching resolvers but > we ran into the same issue, that the domain controllers set recursion desired > to 0. As a result, when our linux caching servers have the result in cache, > the lookup is successful, but when it would require a fresh lookup it gets a > reply with no answers. Hence my question, is there a way to tell our bind > caching resolvers to ignore the recursion desired flag and provide recursion > anyway?
I've solved this before. You've tried two solutions, and neither worked alone. You need to do both. - Delegate the subzones in question to the forwarders (or anywhere, really). - Add conditional forwarding for the subzones also, pointing to the forwarders. Without the delegation, the conditional forwarding won't work -- the MS DNS servers will respond authoritatively. But without the conditional forwarding, the MS DNS servers will send iterative queries, not recursive queries. Regards, Chris Buxton _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users