Troubleshooting Information
Alan Clegg
alan at clegg.com
Thu Aug 27 17:19:06 UTC 2015
Has anyone recommended doing debugging via NSID instead of the CH class
data?
On 8/27/15 12:55 PM, Bob McDonald wrote:
> If I set this up as follow, it works.
>
> view bind chaos {
> recursion no;
> allow-query { 127.0.0.1; none; };
> zone authors.bind ch { type master; database "_builtin authors"; };
> zone hostname.bind ch { type master; database "_builtin hostname"; };
> zone version.bind ch { type master; database "_builtin version"; };
> zone id.server ch { type master; database "_builtin id"; };
> };
>
> Queries from 127.0.0.1 are answered correctly, queries from anywhere
> else are met with a REFUSED reply.
>
> However, the answers show as coming from view "bind" in the statistics.
> There is also a view named "_bind" which seems to serve those same
> zones. (named won't start if I try to name the view "_bind".)
>
> I can get answers from the zones in view "_bind" if I accept/reject via
> the match-clients statement. If I also remove the zones from view
> "bind", it returns a SERFAIL to queries for selected devices in that
> view of class chaos. I think I understand this last one.
>
> Setting recursion off does not seem to affect the warning message
> generated by omitting the root hints zone for class chaos.
>
> Bob
>
>
> On Wed, Aug 26, 2015 at 5:50 AM, Bob McDonald <bmcdonaldjr at gmail.com
> <mailto:bmcdonaldjr at gmail.com>> wrote:
>
> The warning is issued either way (with or without recursion
> specified). But I see the logic in not needing it if recursion is
> set to no.
>
> Thanks again,
>
> Bob
>
> On Wed, Aug 26, 2015 at 5:45 AM, Tony Finch <dot at dotat.at
> <mailto:dot at dotat.at>> wrote:
>
> Bob McDonald <bmcdonaldjr at gmail.com
> <mailto:bmcdonaldjr at gmail.com>> wrote:
> >
> > I'd still include the hint zone (as I'm partial to not having unnecessary
> > warnings on startup).
>
> The "recursion no" directive means you shouldn't have a hint
> zone in that
> view. (I don't know if it will complain about the inconsistency.)
>
> > Also a lot of folks use localhost and/or localnets in DNS configuration.
> > Just from a security standpoint, I prefer to be more specific. localhost
> > and/or localnets can be much more template friendly, I know.
>
> I just used them as placeholders since they are used in the
> default ACLs :-)
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at <mailto:dot at dotat.at>>
> http://dotat.at/
> Viking, North Utsire: Easterly 4 or 5, increasing 6 at times.
> Slight or
> moderate, but rough in southwest Viking. Showers later. Good,
> occasionally
> poor later.
>
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
When I do still catch the odd glimpse, it's peripheral; mere fragments
of mad-doctor chrome, confining themselves to the corner of the eye.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 561 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150827/8b8b65fd/attachment.bin>
More information about the bind-users
mailing list