dns forwarding

[Danny Sauer <sauer@cloudmaster.com>]

So, let's say that I have 2 DNS servers running bind 8.x.  If one's 
asked to resolve a domain and it doesn't have that domain in its cache, 
I want it to ask the other before initiating a full recursive lookup on 
an internal machine's behalf.  Name servers are 10.1.1.1 and 10.1.1.2. 
I'd think that, for 10.1.1.1 I'd have (pruned for brevity):

options{
  forward first;
  forwarders{ 10.1.1.2; }
  recursion yes;
  allow-recursion{
    !10.1.1.2;
    10.1.1.0/24;
  }
}

and on 10.1.1.2 I'd have a similar setup - 10.1.1.1 set as a forwarder, 
and recursion denied from 10.1.1.1 but allowed from other local 
machines.  That doesn't work, though.  It seems that the local peer is 
returning a "not found" that's authoritative if the requested name is 
not in the peer's cache, and then the first machine doesn't go ahead and 
do the recursive lookup for the first client.  Removing the peer as a 
forwarder fixes the problem, as does removing the restriction on 
recursion (because then the peer does the recursive lookup - unless I 
remove the restriction on both, which results in an entertaining DOS on 
both name servers as they forward the request back and forth over and 
over again).

What am I missing here?  Is my goal really unobtainable with bind?  I 
need two DNS servers for redundancy purposes, and it just makes sense 
for them to check with the other local server before getting all 
internet recursive on a query.  This seems like a simple, common thing, 
but maybe it's not.

Thanks.
--Danny

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.