On 10/28/13 1:46 PM, Mark Andrews wrote: > In message <526eba87.7040...@networktest.com>, David Newman writes: >> >>> 3. Another internal nameserver gets intermittent dig +dnssec errors on >>> queries for internal resources. Sometimes after a restart, the result is >>> NOERROR and other times it's NXDOMAIN or SERVFAIL. > > Inconsistant use of views. The NOERROR will probably be coming > from a the internal view and the NXDOMAIN from the external view > (or the other way around).
The underlying question is what forwarders to use, if any, on an internal caching-only nameserver where DNSSEC and split DNS are in use. In this case, per your guidance there are two versions of some zones, with the internal version using delegation and the external not. The only way I can think of is to allow recursion on authoritative servers, but only from the caching-only servers, and put the authoritative servers in their forwarders statement. For all other clients, the only servers with recursion would be the caching-only ones. And the authoritative servers would be the only ones listed in the forwarders statement. Or is there a better way to do this? thanks dn > > As for SERVFAIL you may have badly configured firewalls that are > dropping fragmented responses, or responses > 512 bytes resulting > in excessive timeouts and excessive use of TCP. This is more visible > in a newly started server. > > Mark > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
