I had been told they tried that twice and in both cases the domain controller would not let them add the conditional forwarder. On the strength of your having said it worked in your situation, they tried again and now it is working.
Thank you! Maria > On Apr 6, 2020, at 11:37 AM, Chris Buxton <cli...@buxtonfamily.us> wrote: > > On Apr 3, 2020, at 9:06 AM, bind-li...@iano.org wrote: >> Because the AD domain controllers already own 10.in-addr.arpa, they refuse >> to allow us to configure conditional forwarding for its subdomains. So we >> delegated the subdomains to the inbound endpoints. Because they are >> delegations, the domain controllers set the recursion desired flag to 0 on >> the queries they send to the endpoints, and we are not getting replies from >> the endpoints. >> >> As a workaround we tried delegating to our linux bind caching resolvers but >> we ran into the same issue, that the domain controllers set recursion >> desired to 0. As a result, when our linux caching servers have the result in >> cache, the lookup is successful, but when it would require a fresh lookup it >> gets a reply with no answers. Hence my question, is there a way to tell our >> bind caching resolvers to ignore the recursion desired flag and provide >> recursion anyway? > > I've solved this before. You've tried two solutions, and neither worked > alone. You need to do both. > > - Delegate the subzones in question to the forwarders (or anywhere, really). > - Add conditional forwarding for the subzones also, pointing to the > forwarders. > > Without the delegation, the conditional forwarding won't work -- the MS DNS > servers will respond authoritatively. But without the conditional forwarding, > the MS DNS servers will send iterative queries, not recursive queries. > > Regards, > Chris Buxton _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
