> On Apr 13, 2022, at 12:00 AM, Grant Taylor via bind-users
> <bind-users@lists.isc.org> wrote:
>
> This Message Is From an External Sender
> This message came from outside your organization.
> On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote:
> > We are dropping this configuration and looking at doing something else.
>
> I'm sorry to hear that.
>
> > We have had intermittent issues with Slack, Microsoft, and a growing
> > list of domains. Even have one that consistently fails.
>
> Are you able to share any specific details / examples so that others can
> see an example of what to loo out for?
Sure.
Just to clear, the setup looks like this:
Internal DNS --> DMZ DNS Cache -> World
Internal DNS is forward only. Only internal DNS allowed on the DNS
cache systems. DNSSEC validation can be enabled or disabled on the
cache systems since named always sets the check disabled flag when
forwarding. This also means that you can't forward to an upstream
DNS system and have it do the DNSSEC validation. Wish there was a
way to turn this off or if it would only set the check disabled
flag when DNSSEC validation is enabled.
Failures mode is that everything looks to work and then a domain
will stop resolving. Sometimes we get timeouts, sometimes SERVFAIL,
and other times NXDOMAIN.
On a test setup with fresh restart, these domains always fail.
cybr.club
am-explorer.com
simutext.com
simutext2.com
These domains fail randomly and we have not been able to produce
the failure.
a.slack-edge.com
portal.azure.com
rex-sftp.bncollege.com
There is also our teams and sharepoint domains but rather not put
them here.
I hope this helps. Needless to say, it has been a frustration
situation.
--
Dave
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
