Hello Tony,
> The other things that can cause the behaviour you observed are synth-from-
> dnssec and qname-minimization.
thanks for the heads up concerning synth-from-dnssec; I thought the default
was "no", but that seems to have changed somewhere between 9.14 and 9.16...
I've just changed that and let's see whether that changes the behaviour. At
least, from the documentation it sounds like it should have the same effect.
qname-minimization is set to relaxed, so that shouldn't have an effect, and
at least all Windows AD DNS-servers I know can cope with
normalized/minimized queries.
> It might make sense to forward the whole of .lan and .local to your
Windows
> resolvers, assuming you have one set of servers that knows the whole
> namespace.
As the AD domains aren't part of a singular forest, there is no "global" lan
or local zone, alas. I'm also only able to access other forwarders (rather:
firewalls connected via VPN to the resolver), not the nameservers of the
disjointed forests themselves, which is the main point why setting up an
aggregate .lan/.local-zone is rather difficult, as I can't even put in
proper glue if I were to synthesize a corresponding zone. But I'll try with
synth-from-dnssec, that should do the trick. Thanks!
--- Heiko.
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
