slave == entire zone transfer

Snoopy snoopy at greenapple.com
Fri Oct 3 01:09:40 UTC 2003 

thanks for the comments .....

"Barry Margolin" <barry.margolin at level3.com> wrote in message
news:blf5u7$1brt$1 at sf1.isc.org...
> In article <blf2b5$18ms$1 at sf1.isc.org>, Snoopy <snoopy at greenapple.com>
wrote:
> >Hello all,
> >
> >
> >In 198.144.4.4
> >----------------
> >    zone "pvt.ga.org"{
> >        type slave; file "blah"; masters { 201.235.6.1; };
> >        allow-query {198.144.4.1; };
> >        allow-transfer { none; };
> >    };
> >
> >
> >In slave dns server (198.144.4.1)
> >-----------------------------------
> >    zone "pvt.ga.org"{
> >       type slave; masters{ 198.144.4.4; };
> >       forward only; forwarders { 198.144.4.4; };
> >       allow-query{ 127.0.0.1; };
> >       allow-transfer { none; };
> >    };
> >
> >    Reading the bind book pg.85, it says that a slave server would do a
> >'zone transfer' from the master. If I specify 'forward only', would the
> >slave dns server (198.144.4.1) still perform entire zone transfer, or it
> >would only forward query for that zone (pvt.ga.org) to the forwarder
> >(198.144.4.4) ?
>
> A server never forwards queries for a zone that it's authoritative for,
and
> being a master or slave makes it authoritative.
>
> I think the forwarding-related statements in this zone will only have an
> effect if there are subdomains that are delegated to other servers.  In
> that case, the queries will be forwarded to 198.144.4.4 instead of the
> servers in the NS records.
>
> >    Basically, for zone "pvt.ga.org" I want it not to do zone transfer
from
> >198.144.4.4 but only to query it. I also wanted to secure that zone, so
that
> >only that slave dns server can query it itself for that zone.
> >
> >   I think I can achieve this with an 'allow-query {127.0.0.1; };' in the
> >_global_ option and then for zone 'pvt.ga.org' just do 'type forward'
zone,
> >but it would require me to modify lots of other things as well, so I hope
I
> >can avoid all that......
>
> Is your server being used as a caching server?  If not, you could do what
> you want with "allow-recursion" in the global options and a "type forward"
> zone.  Forwarding is only done when recursion is enabled.
>
> However, this may still not solve your problem completely.  If one of the
> addresses in the allow-recursion statement does a lookup, the results will
> be cached.  Then any other client will be able to look up that record
until
> its TTL expires.
>
> Why not do away with the forwarding entirely, and just delegate the
> subdomain normally, with a firewall blocking access to the subdomain's
> nameservers?
>
> -- 
> Barry Margolin, barry.margolin at level3.com
> Level(3), Woburn, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to
newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the
group.
>

More information about the bind-users mailing list