On 11/18/15, 10:47 AM, "bind-users-boun...@lists.isc.org on behalf of Barry Margolin" <bind-users-boun...@lists.isc.org on behalf of bar...@alum.mit.edu> wrote:
>In article <mailman.2958.1447847777.26362.bind-us...@lists.isc.org>, > Reindl Harald <h.rei...@thelounge.net> wrote: > >> when a result looks like below it needs to be fixed and "Are there any >> BIND specific workarounds?" is the wrong question becaus even if - the >> domain owner is not in the position to place workarounds somewhere else > >While that's the pedantically correct answer, in practice it doesn't >work well when your users complain "Google DNS deals with it, why don't >you?" Your users don't care what happens to people somewhere else, they >just want to get their work done. > >Google understands that there are lots of broken DNS configurations out >there, but their users don't want to hear that it's someone else's fault. Yes, exactly. Having spent a few decades wearing the DNS admin hat in environments with large user bases, I'd be rich if I had a few cents for all the times I've spent "digging" around to prove it's not "our" problem but modern users don't care when they can just use Google DNS and it works magically. "It's an upstream issue Google is just working around." "OK, so why can't you?" Following up with the remote admins to fix the issue is often a joke, this isn't the early Internet where most people had a clue, cared, listened to zone contact mailboxes, or were enabled to make timely changes (in all fairness with many orgs). :-) The upstream brokenness comes in various forms so there's no one-size-fits-all, but for what it's worth to the OP some sites that gave us issues in 9.9.x seems to work in 9.10.x after we explicitly changed dnssec-validation to auto. Can't fully explain that, but we literally had queries running in a loop against google, 9.9.x and 9.10.x while we twiddled different things and zones with upstream issues like this would not resolve via 9.9.x but started working fine with 9.10.x. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
