Johannes Kastl <[email protected]> wrote: > > client 192.168.99.2#22059 (ojkastl.de): query (cache) 'ojkastl.de/DS/IN' > denied > > Is this actually something to worry about?
It's annoying but benign. The recursive server is sending DS queries to the wrong server, to the child zone's server (from the static-stub configuration) rather than the parent zone's servers. However it recovers from this mistake so everything works, apart from the wasted query. (see also https://tools.ietf.org/html/rfc3658#section-2.2.1.2 for fun edge cases resolving DS records) > When using a forward-type zone I got lots of additional NS records for > de (nic.de etc.) in my dig tests, so I tried the static stub. For a "forward" zone, BIND acts as a recursive client, and expects the target server to be a recursive server. This mostly becomes important if there are delegations from the zone. For a static-stub zone, BIND is an iterative client as usual, so it expects the target server to be an authoritative server. The static-stub configuration in effect overrides the zone's NS records. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode Fitzroy: Southerly or southwesterly 5 to 7 decreasing 3 or 4, occasionally 5 later in west. Moderate or rough. Rain or showers. Moderate or good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
