Doh: Lame server on '' (in ''?) , plus some security stuff.
Kevin Darcy
kcd at daimlerchrysler.com
Tue Mar 21 21:41:53 UTC 2000
Kevin Darcy wrote:
> Lincoln Yeoh wrote:
>
> > On 21 Mar 2000 10:26:15 -0800, Barry Margolin <barmar at bbnplanet.com> wrote:
> >
> > >Since you're not hooked up to the Internet, you're not able to get the
> > >authoritative list of root servers from one of the root servers, so they
> > >all seem lame.
> >
> > Ah. Well our darn Cisco 1601 power supply went poof [1] :(. That's lame too
> > ;).
> >
> > Would that be a FAQ? Or most people have working Net connections :).
> >
> > >Because the code that displays domain names always leaves off the last "."
> > >in the fully-qualified name. When you do that with the "." domain, you get
> > >"". The code should probably check for this special case and display '.',
> > >but it doesn't.
> >
> > I'd rather they just leave the trailing '.' in, but that's me wanting to
> > see everything, warts and all, but I guess certain apps may not like it.
> >
> > >>with forwarder set to the External server. But how do I only allow
> > >>recursive queries by internals and at the same time prevent recursive
> > >>queries by outsiders?
> > >
> > >Like I said above, the "allow-recursion" option.
> >
> > Thanks! How'd I miss that option.. Doh :).
> >
> > Whilst there I also saw allow-query in a new light...
> > Now gonna restrict allow-query (only let outsiders ask about my public
> > domains, and not others).
>
> I don't understand what you're trying to do here. Are you going to block your
> *inside* users from asking about your public domains? If a public domain is a
> "shadow" of an internal domain, this is not an issue if you configure your
> internal servers properly so that they'll never be forwarding queries for that
> domain. Conversely, if the public domain is completely separate from any
> internal domain, then you'd probably want your internal clients to be able to
> see it.
Oops, got snookered by a semantic ambiguity: apparently "others" referred to
other, i.e. non-public *domains* rather than other, i.e. non-outsider *clients*.
Sheesh.
I tend to think that a split namespace would be a better way to go, though: get
that private data off the external box completely!
- Kevin
More information about the bind-users
mailing list