On 18.05.24 07:10, Mark Andrews wrote:
Correct. Later versions use NS queries as that allows named to cache the non-existence of the NS RRset.
I see this happened since 9.18.17 Luckily Debian 11/backports and Debian 12 have incorporated this version.
Using _.domain doesn’t allow that to happen.
Which I guess caused my problem. Looking at the docs, I can only turn it off in previous versions. (QNAME minimization was added in 9.13.2)
NS queries do however expose broken delegations. Make sure you have working NS records at the zone apex and at the delegation point. This is especially important when the server serves multiple levels in the zone hierarchy as intermediate delegations are often not seen without QNAME minimisation but are with QNAME minimisation.
Luckily this is resolving-only server.
We have had bug reports due to all delegating NS records referring to non-existing servers. We have had bug reports due to garbage records at the zone apex.
I encountered problems like this in the past. And then people wonder they DNS work properly.
The "google (8.8.8.8) works" argument is problematic because google violates DNS in cases like this.
-- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
