slave == entire zone transfer

Barry Margolin barry.margolin at level3.com
Wed Oct 1 18:04:49 UTC 2003 

In article <blf2b5$18ms$1 at sf1.isc.org>, Snoopy <snoopy at greenapple.com> wrote:
>Hello all,
>
>
>In 198.144.4.4
>----------------
>    zone "pvt.ga.org"{
>        type slave; file "blah"; masters { 201.235.6.1; };
>        allow-query {198.144.4.1; };
>        allow-transfer { none; };
>    };
>
>
>In slave dns server (198.144.4.1)
>-----------------------------------
>    zone "pvt.ga.org"{
>       type slave; masters{ 198.144.4.4; };
>       forward only; forwarders { 198.144.4.4; };
>       allow-query{ 127.0.0.1; };
>       allow-transfer { none; };
>    };
>
>    Reading the bind book pg.85, it says that a slave server would do a
>'zone transfer' from the master. If I specify 'forward only', would the
>slave dns server (198.144.4.1) still perform entire zone transfer, or it
>would only forward query for that zone (pvt.ga.org) to the forwarder
>(198.144.4.4) ?

A server never forwards queries for a zone that it's authoritative for, and
being a master or slave makes it authoritative.

I think the forwarding-related statements in this zone will only have an
effect if there are subdomains that are delegated to other servers.  In
that case, the queries will be forwarded to 198.144.4.4 instead of the
servers in the NS records.

>    Basically, for zone "pvt.ga.org" I want it not to do zone transfer from
>198.144.4.4 but only to query it. I also wanted to secure that zone, so that
>only that slave dns server can query it itself for that zone.
>
>   I think I can achieve this with an 'allow-query {127.0.0.1; };' in the
>_global_ option and then for zone 'pvt.ga.org' just do 'type forward' zone,
>but it would require me to modify lots of other things as well, so I hope I
>can avoid all that......

Is your server being used as a caching server?  If not, you could do what
you want with "allow-recursion" in the global options and a "type forward"
zone.  Forwarding is only done when recursion is enabled.

However, this may still not solve your problem completely.  If one of the
addresses in the allow-recursion statement does a lookup, the results will
be cached.  Then any other client will be able to look up that record until
its TTL expires.

Why not do away with the forwarding entirely, and just delegate the
subdomain normally, with a firewall blocking access to the subdomain's
nameservers?

-- 
Barry Margolin, barry.margolin at level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list