Hi All, I am in the process of migrating all of our client facing resolver hosts back to BIND (from unbound) and have hit a roadblock. I wanted to confirm if I have missed something in my BIND configuration or I have hit some sort of limitation in BIND.
It appears as if BIND is ignoring the static-stub zone and just forwarding all queries to the specified forwarders. The reason that I require a static-stub and not a forward zone is that our internal name servers have delegated zones (to Cisco GSS/F5 devices) which return site-specific answers; If I allow the client facing resolvers to recursively query the internal name servers I will get back the site-specific answer for the internal name server instead of the client facing resolver. Using a static-stub zone forces the client facing resolver to use iterative queries which will eventually lead it to query the Cisco GSS/F5 device for itself. Environment info: - I have obscured hostnames & IP addresses. Public facing name servers (host the 'external' view of our primary zone & also perform recursive lookups for our internal servers): - 111.111.111.111 - 222.222.222.222 Internal facing name servers (host the 'internal' view of our primary zone, will perform recursive queries for client facing resolvers): - 10.0.0.1 - 10.0.0.2 - 10.0.0.3 BIND/Unbound, (client facing resolver) details: user@host:~ %cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 (Santiago) user@host:~ %rpm -qa | grep ^bind bind-9.8.2-0.10.rc1.el6_3.2.x86_64 bind-utils-9.8.2-0.10.rc1.el6_3.2.x86_64 bind-libs-9.8.2-0.10.rc1.el6_3.2.x86_64 user@host:~ %rpm -qa | grep unbound unbound-1.4.14-1.el6.x86_64 unbound-libs-1.4.14-1.el6.x86_64 Unbound config (working): - http://pastebin.com/MDFwZRLq - Unbound sends iterative queries to the name servers specified in the stub zone. BIND config #1 (static-stub zone ignored, all queries are forwarded to 111.111.111.111/222.222.222.222): - http://pastebin.com/3rcZdxbQ BIND config #2 (static-stub zone ignored, all queries are forwarded to 111.111.111.111/222.222.222.222): - http://pastebin.com/cgbxSYph Note: I have also tried setting 'forwards {};' in the static-stub zone but BIND returns with the error: - "option 'forwarders' is not allowed in 'static-stub' zone 'obscured.edu.au'" Regards, Mark Picone Unix Administrator Deakin eSolutions Deakin University Geelong Waterfront Campus 1 Gheringhap Street, Geelong, VIC 3220 Phone: +61 3 52278602 Deakin University CRICOS Provider Code 00113B Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone. Deakin University does not warrant that this email and any attachments are error or virus free. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
