Authoritative internal server - how do I get rid of...

Tue May 21 14:44:41 UTC 2013

In message <20130521140821.GB11898 at h.detebe.org>, "Elmar K. Bins" writes:
> Re Mark,
> 
> > > Oh, I forgot to mention that all master zones have "notify explicit;" set.
> > > (Is there a global setting for that?)
> > 
> > What about the slave zones?  They also send notify messages.
> 
> Which slave zones? This server is auth-only, master-only. That's it.
> No slaves, no recursion, no lookup, no routing, no nothing.
> 
> 
> > > > Additionally you have DNSSEC validation and/or managed keys for the
> > > > root enabled.
> > > 
> > > Err...by default? How do I switch this off?
> > 
> > No.  You have enabled it.
> 
> Oh, where? You seem to know more than I do. The only part
> I can see it is in the "dnssec-validation auto" line in
> the options. Would it help to move this to the "test" zone?

And what do you thing "dnssec-validation auto" does?  It turns on
DNSSEC validation and configures named to use the built in managed
keys for the root.  Managed keys track changes in the DNSKEYs using
the method documented in RFC 5011.  This means named needs to make
periodic queries to the root servers to retrieve the roots DNSKEY
RRset.  Check what DNSKEY records have been added / deleted and see
if those changes are relevent to RFC 5011.  Then named updates its
working copies of those keys.

When named makes a external query and needs to use the hints it
also requests a current copy of the root NS RRset and uses the
response to refresh the root NS RRset in the cache along with
associated address records.

Mark

> Config see below
> 
> Elmar.
> 
> 
> named.conf is as simple as it gets:
> ======================================================
> 
> options {
>         directory "/var/cache/bind";
>         dnssec-validation auto;
>         recursion no;
>         allow-recursion { none; };
>         additional-from-cache no;
>         auth-nxdomain no;
>         listen-on-v6 { none; };
> };
> 
> key hm1-key. {
>           algorithm hmac-sha256;
>           secret "...";
> };
> 
> server a.b.c.d {
>         provide-ixfr no;
>         keys { hm1-key. ;};
> };
> 
> 
> zone "test" IN {
>                 type master;
>                 file "/dns/pri/test" ;
>                 notify explicit;
>                 also-notify { a.b.c.d; } ;
>                 allow-transfer { key hm1-key. ; } ;
> } ;
> 
> 
> zone "." { type hint; file "/etc/bind/db.root"; };
> zone "localhost" { type master; file "/etc/bind/db.local"; };
> zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; };
> zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };
> zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
> 
> ======================================================
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org