BIND 9.4.x empty zones

Mark Andrews Mark_Andrews at isc.org
Thu Nov 1 10:38:25 UTC 2007 

> On 31 Oct 2007, at 22:50, Chris Thompson wrote:
> 
> > I have been looking at the new "built-in empty zone" stuff in 9.4.x
> 
> 	I've been treating the warnings about these zones and about
> 	reverse queries for RFC1918 addresses escaping onto the Internet
> 	as prompts to clean up our act, and have begun to configure
> 	explicitly each zone for which an "automatic" warning is otherwise
> 	generated.
> 
> 	I've noticed a couple of surprises (using 9.4.1-P1).
> 
> 	1.
> 	The 18 zones for 10/8, 172.16/12, and 192.168/16 don't appear
> 	to be considered for activation as "automatic empty zones",
> 	perhaps in an attempt to avoid collisions with operational use
> 	of addresses from some parts of these blocks.  In contrast, an
> 	automatic empty zone is activated for 127/8, even though it
> 	collides with the traditional, and actually configured on the
> 	same server, zone for 127.0.0.1/32.  This seems inconsistent.

	No.  They are just waiting for the draft to pass through the
	IETF.
	
> 	Rather than silently ignoring these 18 zones, I think it would
> 	be useful to emit a different flavour of warning, intended to
> 	prompt the local sysadmin to consider doing the "right thing".
> 	Relying on eventual per-query "RFC1918" warnings seems to me
> 	to miss an opportunity for giving an early helpful prompt.
> 	Perhaps visibility in the logs by using something like
> 	"automatic empty zone [...] NOT loaded" would be appropriate.
> 
> 	2.
> 	When I set up an explicit empty zone with content equivalent to
> 	that provided automatically, my logs are just as noisy, since
> 	a warning is now generated alerting me that the nameserver
> 	has no address.
> 
> 	# your favorite currency here # 0,02

	Or you could just remove the #ifdef notyet/#endif from
	bin/named/server.c.

#ifdef notyet
        /* RFC 1918 */
        { "10.IN-ADDR.ARPA", ISC_TRUE },
        { "16.172.IN-ADDR.ARPA", ISC_TRUE },
        { "17.172.IN-ADDR.ARPA", ISC_TRUE },
        { "18.172.IN-ADDR.ARPA", ISC_TRUE },
        { "19.172.IN-ADDR.ARPA", ISC_TRUE },
        { "20.172.IN-ADDR.ARPA", ISC_TRUE },
        { "21.172.IN-ADDR.ARPA", ISC_TRUE },
        { "22.172.IN-ADDR.ARPA", ISC_TRUE },
        { "23.172.IN-ADDR.ARPA", ISC_TRUE },
        { "24.172.IN-ADDR.ARPA", ISC_TRUE },
        { "25.172.IN-ADDR.ARPA", ISC_TRUE },
        { "26.172.IN-ADDR.ARPA", ISC_TRUE },
        { "27.172.IN-ADDR.ARPA", ISC_TRUE },
        { "28.172.IN-ADDR.ARPA", ISC_TRUE },
        { "29.172.IN-ADDR.ARPA", ISC_TRUE },
        { "30.172.IN-ADDR.ARPA", ISC_TRUE },
        { "31.172.IN-ADDR.ARPA", ISC_TRUE },
        { "168.192.IN-ADDR.ARPA", ISC_TRUE },
#endif

> 	/Niall
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list