On 09/10/2010 03:05 AM, Mark Andrews wrote:
In message<4c891404.3000...@imperial.ac.uk>, Phil Mayers writes:
On 09/09/2010 03:45 PM, Timothe Litt wrote:
There is other advice in the ARM that says to put 'your organization's
public keys in the trusted-keys list'. That doesn't help - and in fact,
confuses me even more since example.net has TWO different public keys - one
for each view. And trusted-keys is a global server option...
I must be missing something.
I don't think so. Currently AFAICT bind will not set AD on authoritative
zones, with any combination of options.
Add a match-recursion-only view;
Sure; that's the "right" thing, but then bind will presumably consume
more RAM - RAM to load the authoritative zones in the internal/external
views, and RAM to cache them in the recursive view? The OP was
explicitly unwilling to suffer this penalty as I understood it.
TBH I have some sympathy with the OPs issue; we like to slave our zones
to our recursive resolvers, so that when we make updates to our zones
(via DDNS, every few minutes) IXFR will keep them in-sync without
waiting for TTLs to expire. But then we can't get the "ad" bit.
It would be nice if there were a feature sort of like attach-cache, but
for master zones, so that a recursive view could be told to a) skip the
network lookup, and fetch the data direct from view N and b) never cache
the result.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
