You can specify a domain for which forwarding should occur. The forwarder definition is by a list of names of servers or a list of IP addresses with an optional port number, or both.

Note	You can specify IPv4 and/or IPv6 addresses and for the changes to take effect, you must reload the CDNS server.

Tip	To force a caching DNS server to only talk to a forwarder, define a forwarder for the DNS root (.).

If you do not want the CDNS server to use the standard resolution method to query the nameserver for certain domains, use exceptions. This bypasses the root nameservers and targets a specific server (or list of servers) to handle name resolution.

Let us say that example.com has four subsidiaries: Red, Blue, Yellow, and Green. Each has its own domain under the .com domain. When users at Red want to access resources at Blue, their CDNS server follows delegations starting at the root nameservers.

These queries cause unnecessary traffic, and in some cases fail because internal resources are often barred from external queries or sites that use unreachable private networks without unique addresses.

Exceptions solve this problem. The Red administrator can list all the other example.com domains that users might want to reach and at least one corresponding nameserver. When a Red user wants to reach a Blue server, the Red server queries the Blue server instead following delegations from the root servers down.

To enable resolution exceptions, simply create an exception for the domain listing the IP address(es) and/or hostname(s) of the authoritative nameserver(s).

Note	Exceptions can contain both IPv4 and/or IPv6 addresses and require a CDNS server reload to take effect.

DNS64 with NAT64 provides access to the IPv4 Internet and servers for hosts that have only IPv6 addresses. DNS64 synthesizes AAAA records from A records, when a IPv6 client queries for AAAA records, but none are found. It also handles reverse queries for the NAT64 prefix(es).

In Cisco Prime IP Express 8.3 and later, you can define multiple prefixes for synthesizing AAAA record.

Note	When you enable DNS64 on multiple Caching DNS servers you must ensure that the same version of Cisco Prime IP Express is installed on all the Caching DNS servers. If DNS firewall redirect is also enabled, the Caching DNS redirect takes precedence over DNS64 functionality.

DNSSEC enables the server to determine the security status of all Resource Records that are retrieved. You can manage DNSSEC only in the Advanced mode. The dnssec attribute enables validation of DNS information. The domain-insecure attribute defines domain names to be insecure, DNSSEC chain of trust is ignored towards the domain names. So, a trust anchor above the domain name can not make the domain secure with a DS record, such a DS record is then ignored. DNSSEC requires a root trust anchor to establish trust for the DNS root servers. The initial DNSSEC root trust anchor, root.anchor, is stored in the .../data/cdns directory and is the default value of the auto-trust-anchor-file attribute. Additional trust anchors may be added by adding them to the .../data/cdns directory and to the auto-trust-anchor-file if the zone supports automated updates according to RFC 5011 or the trust-anchor-file attribute if not. The cdnssec command controls and configures DNSSEC processing in the Cisco Prime IP Express DNS Caching server.

To set the size of the aggressive negative cache in bytes, use the neg-cache-size attribute on the Manage DNS Caching Server page.

The key-cache-size attribute sets the size of the key cache in bytes. The prefetch-key attribute sets whether the DNS caching server should fetch the DNSKEYs earlier in the validation process, when a DS record is encountered.