Negative zones; NXDOMAIN responses

Kevin Darcy kcd at chrysler.com
Mon May 20 23:44:50 UTC 2013 

On 5/20/2013 11:36 AM, Chris Buxton wrote:
> On May 20, 2013, at 12:51 AM, Narcis Garcia <informatica at actiu.net> wrote:
>
>> - Yes, I thought about not using DNS from the same internet provider,
>> but wanted to know if there is a way to patch only the .local response.
>>
>> - This is the configuration I use in one of the LANs:
>>
>> view "local-nets" {
>>         match-clients { acl_local-nets; };
>>         recursion yes;
>>         forwarders {
>>                 62.151.2.8;
>>         };
>>         include "/etc/bind/named.conf.default-zones";
>> }
>>
>> - These are the tests to be done from a client:
>> $ host -t SOA local.
>> $ host -t SOA local. 62.151.2.8
>>
>> - I've tried to create an empty zone, or lacking of A or SOA records,
>> but then BIND9 doesn't load it:
>> zone local/IN: has 0 SOA records
>> zone local/IN: has no NS records
>> zone local/IN: not loaded due to errors.
>>
>> - I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
>> to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
>> But I'm not sure if it's useful for SOA records.
> For the time being, .local is not delegated from the root. So just not using your ISP's resolvers will do what you want -- recurse directly to the Internet.
>
> There is no way to create an empty .local zone that won't have even an SOA record. I'm not sure if you could do this via RPZ -- probably -- but why bother when you could just remove your ISP's servers from the equation?
>
>
I'm not a big fan of solutions that bombard the root servers with "junk" 
traffic. According to the Wikipedia entry for ".local", 
l.root-servers.net is already getting hit with about 2300 qps for 
".local" names (thus 4th behind .com, .net and .org). Let's not add to that.

This is fairly trivial to deal with via RPZ:

local                   CNAME   .    ; for the apex
*.local                 CNAME   .   ; for everything else

Full disclosure: I'd love to implement this myself, but
a) my strategic product for DNS resolution charges extra for the RPZ 
functionality, and
b) my biggest business partner, having followed Microsoft's 
recommendation of many years (until their recent reversal) has deployed 
several "real" internal zones under the .local TLD. I can't afford to 
blind myself to those.

                         - Kevin

P.S. Wikipedia might want to update their figures, since I just did a 
query via 
http://stats.l.root-servers.org/cgi-bin/dsc-grapher.pl?window=86400&plot=qtype_vs_all_tld&server=L-root 
and "local" shows as third on the graph, the figure appearing closer to 
2500 qps than 2300 qps.

More information about the bind-users mailing list