relax 'ignoring out-of-zone data' checks?

Danny Mayer mayer at gis.net
Sun Jul 14 14:24:59 UTC 2002 

At 12:00 PM 7/12/02, Ian Marsh wrote:
>   I hope someone can help... We currently have an old email system that is
>somewhat kak-handed in the way that it deals with outbound internet mail.
>As we didn't (at the time) have access to the code that handles this
>process, we found the only way to get around it was to setup some wildcard
>MX records to force it to deliver the mail where it actually needed to go
>and not where it thought it should go. As a result we have got a series of
>records like this in our internal DNS:
>
>*.              MX      6 mailrelay.hants.gov.uk.
>*.com.          MX      6 mailrelay.hants.gov.uk.
>*.uk.           MX      7 mailrelay.hants.gov.uk.
>*.gov.uk.       MX      7 mailrelay.hants.gov.uk.
>etc...
>
>   This has gotten around the problem and has worked find for a number of
>years. Now, however, we want to upgrade the DNS server to the latest
>release of Bind and it is ever so kindly rejecting those wildcards! As the
>chances of altering the offending code are small, and the server is
>destined to remain in operation for the next couple of years at least, my
>only hope is to persuade Bind not to ignore that 'out-of-zone' data and
>accept it as-is. As this is an internal DNS server, and so not publicly
>accessible, I don't see that there should be a problem doing this...
>
>   Does anyone have any suggestions on how to do this? Some fairly major
>projects rely on the new DNS setup so I am quite desperate to find a
>solution.
>
>TIA
>Ian

You need to have the mail system forward to your mail relay. If you can't get
it to do that you need to replace it.  There are plenty of free ones out there
like sendmail. I can only assume that this mail system doesn't know or
understand about firewalls and relays?

There is no way for BIND to relax it's out-of-zone rules.

If you absolutely cannot replace the mail system, set up the old version
of BIND that you are running on the same box and point that system
to it (reolver.conf then needs to contain a "nameserver 127.0.0.1" record
and no other nameserver records. No other box needs to know about the
DNS server running on that system.

Danny

More information about the bind-users mailing list