forwarding zone setup from a BIND slave (without recursion?)

Mark Andrews marka at isc.org
Wed Apr 7 23:25:21 UTC 2021 


> On 8 Apr 2021, at 00:37, Tony Finch <dot at dotat.at> wrote:
> 
> Chuck Aurora <ca at nodns4.us> wrote:
>> 
>> A stub or static-stub zone would not require recursion.  In that case
>> named is asking for authoritative data from upstream.  But type
>> forward zones indeed cannot work if recursion is disabled.
> 
> Be careful in this kind of situation to be very clear about which client
> or server is doing what: in this case, it isn't clear what doesn't require
> recursion for stub or static stub.
> 
> All three types of zone configuration (stub, static stub, and forward)
> are only useful on a server that is providing recursive service.
> 
> Forward zones require the upstream server to be recursive too.

More correctly, the upstream server has to serve the entire namespace being
forwarded if it does not off recursion to the client for forwarding to
work.

> Stub and static-stub expect the upstream server to be authoritative;
> the stub server list is a hint that gets replaced by the authoritative
> server list from the zone (a bit like the root hints) whereas static-stub
> only uses the configured upstream servers.
> 
>>> What I've learned from this list is that you should split
>>> authoritative and recursive service.
>> 
>> I would suggest that as a general best practice, but not an absolute
>> one.  There's nothing wrong with having internal-only authoritative
>> zones on your recursive resolver.  The potential problem comes when
>> you're a globally-published NS for your zones; having recursion
>> enabled can make you vulnerable to more possible attacks.
> 
> Right: the rule is that authoritative servers listed as targets of NS
> records should be authoritative-only; it's OK if recursive servers have
> authoritative copies of zones: it can make them more resilient to outages,
> though it does slightly weird things to DNSSEC validation.
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
> Whitby to Gibraltar Point: Northwest 4 to 6 becoming variable 2 to 4,
> then southwest 4 to 6 later. Very rough at first in north, otherwise
> moderate or rough. Snow showers, then rain for a time later. Good,
> occasionally very poor at first.
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list