debug SERVFAIL

Reindl Harald h.reindl at thelounge.net
Sun Oct 2 18:41:38 UTC 2016 


Am 02.10.2016 um 20:32 schrieb Per olof Ljungmark:
> On 2016-10-02 19:22, Nico CARTRON wrote:
>> Hi Per,
>>
>>> On 2 Oct 2016, at 19:07, Per olof Ljungmark <peo at intersonic.se> wrote:
>>>
>>> [...]
>>>
>>>> Just use the "hint" type configuration. This is just fine for most users.
>>>
>>> The interesting thing is why FreeBSD includes the recommendation in the
>>> default named.conf if that is not good, and I thought it would be
>>> interesting to know why.
>>
>> I just checked one of my FreeBSD servers and couldn't find this section/recommendation.
>> If I'm not mistaken the default named.conf does include hints and also RFC1918 in-addr.arpa, not more.
>
> The default is the hints file yes, but the default (named.conf.sample)
> file does have the following lines, at least with 9.10 and it uses the
> word "advantages" for the alternative config which obviously does not
> work in all cases. It adds "Use with caution" though.

well, indepenent what some comments pretend with our without warnings - 
*never* ever slave a zone where don't know the admin on the other side 
in person because there is no guarantee that tomorrow a transfer is 
allowed even if it's today

hence the "this method requires more monitoring"

that means: if you can't monitor or even don't know how to monitor and 
don't fully understand leave your fingers from it


> // The traditional root hints mechanism. Use this, OR the slave zones below.
> zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
>
> /*      Slaving the following zones from the root name servers has some
>         significant advantages:
>         1. Faster local resolution for your users
>         2. No spurious traffic will be sent from your network to the roots
>         3. Greater resilience to any potential root server failure/DDoS
>
>         On the other hand, this method requires more monitoring than the
>         hints file to be sure that an unexpected failure mode has not
>         incapacitated your server.  Name servers that are serving a lot
>         of clients will benefit more from this approach than individual
>         hosts.  Use with caution.
>
>         To use this mechanism, uncomment the entries below, and comment
>         the hint zone above.
>
>         As documented at http://dns.icann.org/services/axfr/ these zones:
>         "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
>         are available for AXFR from these servers on IPv4 and IPv6:
>         xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org

More information about the bind-users mailing list