Hi Clement - Perhaps I am using the wrong semantics, or perhaps I am not completely understanding you, or possibly I am doing something wrong (even thought I have been doing it this way more or less for about 10 years!). This server provides (what I understand to be) true authoritative name resolution for about 60 domains and ONLY those 60 domains, but provides no recursive lookups nor any caching - no systems on the LAN query it, or any other server I provide locally, for DNS resolution. It is simply queried by external caching DNS servers on the net for name resolution of a small number of domains. I do provide complete zone content for these domains, but not for other domains such as yahoo.com (obviously) which need to be queried elsewhere as no caching is being done.
My understanding is that a DNS server generally should not provide recursive lookups and caching while also providing authoritative resolution of domains for security reasons. This at least is a recommendation made by Dan Bernstein (author of Tiny DNS) and makes sense to me - Bind and MS systems allow it, but it is probably not a good idea. Am I missing something? Thanks for your input ... Jeff CLEMENT Francis wrote: > As an autoritive dns, why do you want your internal network to go to = > the > 'external' dns servers ???? > An autoritive dns server for a zone is ONLY one of the NS listed, and = > theses > NS roles suppose they have a full copy of the zone content. > As many election algorythms will sort the ns entries to place the = > 'locals' > (network point of vue) as the preferred to ask first, your 'internal > autoritive' that does not have all of the zone will surely be elected ! > > Then, the local computer electing to use you 'false autoritive server', = > that > is online and response to dns queries even if not the desirable good > responses from user point of vue, but a 'good' response at dns protocol > point of vue, why do you want them to 'change' and switch to the = > 'external > true autoritive servers' ? > A tcpdump for dns traffic on your local network could show that for DOM > domain almost all the queries are send to you 'false autoritive = > server'. > > Best way to resolve this issue : > - Don't use any 'internal dns server' for this zone at all > or > - Give your internal dns server the complete zone content to become a = > true > autoritive dns server for the zone :) > (Notice that doing so if your local dns is behind a nat server, you = > could > face a commom 'nat firewall' loopback issue. I can explain if you want) > > Francis > > > -----Message d'origine----- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de Jeff Buehler > Envoy=E9 : mercredi 20 f=E9vrier 2008 20:35 > =C0 : [email protected] > Objet : [xmail] Re: FreeBSD problem (similar to NetBSD problem report = > ed > earlier?) > > > Hi Davide - > > Yes, it works from an external line, but not from the server itself. I = > > am trying to figure out why providing the authoritative DNS for that=20 > domain (pointing to another server on the net which provides everything = > > else for the domain) causes the failure - it seems to be looping, which = > > might be expected behavior, but I'm not certain. At this point since = > it=20 > works with SmartDNS it is mostly curiosity. > > Jeff > > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
