In message <20130521085732.gh23...@h.detebe.org>, "Elmar K. Bins" writes: > ... these annoying root lookups: > error (host unreachable) resolving './DNSKEY/IN': 192.112.36.4#53 > error (host unreachable) resolving './NS/IN': 192.36.148.17#53 > ... > > > Hi guys, > > I guess a few of you have seen and mitigated this before. We're running > a few BIND server strictly internally - for master zone loading, actually. > > Those servers have no external connectivity. Since they seem to routinely > look up stuff concerning ".", I get a lot of the above error messages due > to - certainly - unreachability of anything outside local. > > Is there any way I can get those BIND9 servers to *not* look up root stuff? > > Recursion is off, and the root hints file has been removed from the local > zone config. No effect.
Authoritative nameservers still need to lookup address of nameservers to send NOTIFY messages. The message you see are as a result of the nameserver doing these lookups. Additionally you have DNSSEC validation and/or managed keys for the root enabled. Create a root zone for your internal namespace and configure hint, master and slave root zones appropriately. Workout if your are going to use DNSSEC and configure the nameserver and zones appropriately for your internal namespace. > Any pointers would be much appreciated. > > Cheers, > Elmar. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
