Hello Tony, > The other things that can cause the behaviour you observed are synth-from- > dnssec and qname-minimization.
thanks for the heads up concerning synth-from-dnssec; I thought the default was "no", but that seems to have changed somewhere between 9.14 and 9.16... I've just changed that and let's see whether that changes the behaviour. At least, from the documentation it sounds like it should have the same effect. qname-minimization is set to relaxed, so that shouldn't have an effect, and at least all Windows AD DNS-servers I know can cope with normalized/minimized queries. > It might make sense to forward the whole of .lan and .local to your Windows > resolvers, assuming you have one set of servers that knows the whole > namespace. As the AD domains aren't part of a singular forest, there is no "global" lan or local zone, alas. I'm also only able to access other forwarders (rather: firewalls connected via VPN to the resolver), not the nameservers of the disjointed forests themselves, which is the main point why setting up an aggregate .lan/.local-zone is rather difficult, as I can't even put in proper glue if I were to synthesize a corresponding zone. But I'll try with synth-from-dnssec, that should do the trick. Thanks! --- Heiko.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
