Negative zones; NXDOMAIN responses
Kevin Darcy
kcd at chrysler.com
Tue May 21 15:17:28 UTC 2013
Ugh, I'm trying _really_ hard not to be an annoying nitpicker (yeah, I
know, try harder :-), but...
The relevant verbiage of RFC 6762 is:
Caching DNS servers SHOULD recognize these names as special and
SHOULD NOT attempt to look up NS records for them, or otherwise
query authoritative DNS servers in an attempt to resolve these
names. Instead, caching DNS servers SHOULD generate immediate
NXDOMAIN responses for all such queries they may receive (from
misbehaving name resolver libraries). This is to avoid unnecessary
load on the root name servers and other name servers.
I'm not sure that slaving the root zone (although it is the "simplest
solution" and undoubtedly _works_) is really compatible with the letter
or spirit of that verbiage...
- Kevin
On 5/20/2013 9:03 PM, Mark Andrews wrote:
> The simplest solution is to slave the root zone and
> turn off notify to so you don't spam the official
> root servers. 192.5.5.241 is f.root-servers.net.
>
>
> zone "." IN {
> type slave;
> file "slave/root";
> masters { 192.5.5.241; };
> notify no;
> };
>
> If you want to use DNSSEC to validate the contents then
> you can use views to achieve this.
>
> managed-keys {
> . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
> };
>
> view "secure" {
> match-clients { localnets; };
> match-recursive-only yes;
> zone . {
> type static-stub;
> server-addresses { 127.0.0.1; };
> };
> };
>
> view "external" {
> recursion no;
> allow-recursion { none; };
> zone "." IN {
> type slave;
> file "slave/root";
> masters { 192.5.5.241; };
> notify no;
> };
> };
>
> Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130521/e4a57386/attachment.html>
More information about the bind-users
mailing list