About root zones

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Jan 3 14:50:05 UTC 2012 

>2012/1/2 Matus UHLAR - fantomas <uhlar at fantomas.sk>:
>> I don't see your point now. I'm afraid that you will have to live with the
>> fact that you can not disable sending queries from BIND when it needs them,
>> you can only prevent it by configuring BIND (so it will not need them) or
>> firewall such packets so they will not get outside (which may break its
>> functionality).

On 03.01.12 16:53, Peter Andreev wrote:
>My point: I need my servers to answer with authoritative data only. I
>need them to not perform anything else. Only "get query - send
>authoritative response". Where in this scenario BIND has to resolve
>something?

Nowhere. Note that BIND may send upward or root referrals, for clients 
that are allowed to view cached data (the hint zone is taken as 
cached). Also, bind can send additional data (authoritative or from 
cache) when configured so, but won't recursively resolve them.

See description of additional-from-cache and additional-from-auth, 
maybe minimal-responses.

>In which scenario (except master & notifies) BIND has to resolve something?

I don't know about any. 

>> Maybe ISC will patch BIND to use system resolver for internal queries, but I
>> doubt so. Maybe you can do it but imho it's not worth trying.
>>
>> Maybe you can set up forward only; and forwarders {}; so BIND will forward
>> all recursive queries it generates to your recursive servers.
>>
>> But the way you are trying to get over this, I'm afrait you will fail and
>> that's what I am trying to tell you.
>
>I'm free to replace BIND with another authoritative DNS implementation.

Yes, you are. but i'd advise you focus on the real problem, if it 
exists. Kevin Darcy mentioned that in his response.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

More information about the bind-users mailing list