On 11/13/21 7:29 AM, Tony Finch wrote:
You should make sure that your public nameservers return a definite nodata or NXDOMAIN reply for your private names, not REFUSED, nor a referral to an RFC 1918 address. The latter two will cause resolvers to retry, and the retries can become a large proportion of your total authoritative query traffic.
Please elaborate on the mechanics behind returning a ""private IP causing resolvers to retry? Is it the resolvers rejecting the ""private IP and retrying? Or is it the end systems behind the resolvers failing to be able to use the resolved private IP and trying resolution again? How and why does an authoritative server returning authoritative data cause resolvers / clients to send more queries?
Note: I'm expanding "private" to be an IP that is not globally accessible, because it's RFC 1918 (et al.), not globally routed, firewalled, etc. If this is not a fair expansion, please enlighten me.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
