From a brief conversation with the bind9 maintainer: D: if bind gets a servfail, and has two forwarders, will it try the other forwarder? E: Yes.
D: Even in the case of a dnssec query? E: Bind9 retries an authoritative answer because it might have been spoofed or one of the servers might be out of date or misconfigured. It uses the function fctx_nextaddress() to get the next address to try when a query fails. fctx_nextaddress() searches through both forwarders and auth servers, depending on what kind of query it is. D: So I believe it is correct for dnsmasq to try all upstreams on a servfail response, which restores the prior dnsmasq behavior, and is more robust. E: Yes. D: This seems to look like the right thing: https://github.com/MartinWetterwald/dnsmasq/pull/1/files -- Dave Täht Let's go make home routers and wifi faster! With better software! http://blog.cerowrt.org _______________________________________________ Dnsmasq-discuss mailing list [email protected] http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
