BIND 9.4.x empty zones
Niall O'Reilly
Niall.oReilly at ucd.ie
Thu Nov 1 09:51:26 UTC 2007
On 31 Oct 2007, at 22:50, Chris Thompson wrote:
> I have been looking at the new "built-in empty zone" stuff in 9.4.x
I've been treating the warnings about these zones and about
reverse queries for RFC1918 addresses escaping onto the Internet
as prompts to clean up our act, and have begun to configure
explicitly each zone for which an "automatic" warning is otherwise
generated.
I've noticed a couple of surprises (using 9.4.1-P1).
1.
The 18 zones for 10/8, 172.16/12, and 192.168/16 don't appear
to be considered for activation as "automatic empty zones",
perhaps in an attempt to avoid collisions with operational use
of addresses from some parts of these blocks. In contrast, an
automatic empty zone is activated for 127/8, even though it
collides with the traditional, and actually configured on the
same server, zone for 127.0.0.1/32. This seems inconsistent.
Rather than silently ignoring these 18 zones, I think it would
be useful to emit a different flavour of warning, intended to
prompt the local sysadmin to consider doing the "right thing".
Relying on eventual per-query "RFC1918" warnings seems to me
to miss an opportunity for giving an early helpful prompt.
Perhaps visibility in the logs by using something like
"automatic empty zone [...] NOT loaded" would be appropriate.
2.
When I set up an explicit empty zone with content equivalent to
that provided automatically, my logs are just as noisy, since
a warning is now generated alerting me that the nameserver
has no address.
# your favorite currency here # 0,02
/Niall
More information about the bind-users
mailing list