slave == entire zone transfer
Snoopy
snoopy at greenapple.com
Fri Oct 3 01:09:40 UTC 2003
thanks for the comments .....
"Barry Margolin" <barry.margolin at level3.com> wrote in message
news:blf5u7$1brt$1 at sf1.isc.org...
> In article <blf2b5$18ms$1 at sf1.isc.org>, Snoopy <snoopy at greenapple.com>
wrote:
> >Hello all,
> >
> >
> >In 198.144.4.4
> >----------------
> > zone "pvt.ga.org"{
> > type slave; file "blah"; masters { 201.235.6.1; };
> > allow-query {198.144.4.1; };
> > allow-transfer { none; };
> > };
> >
> >
> >In slave dns server (198.144.4.1)
> >-----------------------------------
> > zone "pvt.ga.org"{
> > type slave; masters{ 198.144.4.4; };
> > forward only; forwarders { 198.144.4.4; };
> > allow-query{ 127.0.0.1; };
> > allow-transfer { none; };
> > };
> >
> > Reading the bind book pg.85, it says that a slave server would do a
> >'zone transfer' from the master. If I specify 'forward only', would the
> >slave dns server (198.144.4.1) still perform entire zone transfer, or it
> >would only forward query for that zone (pvt.ga.org) to the forwarder
> >(198.144.4.4) ?
>
> A server never forwards queries for a zone that it's authoritative for,
and
> being a master or slave makes it authoritative.
>
> I think the forwarding-related statements in this zone will only have an
> effect if there are subdomains that are delegated to other servers. In
> that case, the queries will be forwarded to 198.144.4.4 instead of the
> servers in the NS records.
>
> > Basically, for zone "pvt.ga.org" I want it not to do zone transfer
from
> >198.144.4.4 but only to query it. I also wanted to secure that zone, so
that
> >only that slave dns server can query it itself for that zone.
> >
> > I think I can achieve this with an 'allow-query {127.0.0.1; };' in the
> >_global_ option and then for zone 'pvt.ga.org' just do 'type forward'
zone,
> >but it would require me to modify lots of other things as well, so I hope
I
> >can avoid all that......
>
> Is your server being used as a caching server? If not, you could do what
> you want with "allow-recursion" in the global options and a "type forward"
> zone. Forwarding is only done when recursion is enabled.
>
> However, this may still not solve your problem completely. If one of the
> addresses in the allow-recursion statement does a lookup, the results will
> be cached. Then any other client will be able to look up that record
until
> its TTL expires.
>
> Why not do away with the forwarding entirely, and just delegate the
> subdomain normally, with a firewall blocking access to the subdomain's
> nameservers?
>
> --
> Barry Margolin, barry.margolin at level3.com
> Level(3), Woburn, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to
newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the
group.
>
More information about the bind-users
mailing list