Hi, Kevin Darcy <k...@chrysler.com> writes:
> Are these queries mostly for names in an Active Directory domain? The > default for Active Directory is for *every* Domain Controller to > register NS records at the apex of the AD domain. Pretty soon, for any > reasonably-sized AD infrastructure, all of those NSes cause *all* > queries for *any* name in the domain to trigger a TCP retry (because > the Answer + Authority Sections overflow 512 bytes), if EDNS0 is not > in effect. I sat down with our AD folks a few years ago and impressed > upon them how important it is to be selective about which Domain > Controllers are registered at the apex. They appreciated the negative > consequences of being awash in TCP retries, and it's been managed for > some time now (at least for our *main* AD domain; don't get me started > on the business partner that still has 92 NS records at the apex of > their AD domain. Sigh) > good point. Increasing the EDNS0 UDP size might also be an option (default is 1280 for Windows DNS) -> http://technet.microsoft.com/en-us/library/cc783893%28v=ws.10%29.aspx It is possible to tell some less critical DC to not register themself in DNS: http://support.microsoft.com/kb/198767 and http://technet.microsoft.com/en-us/library/cc782946%28v=ws.10%29.aspx -- Carsten _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
