Best practice MultiView
Nick Tait
nick at tait.net.nz
Mon Apr 17 21:38:09 UTC 2023
On 18/04/2023 2:43 am, Greg Choules via bind-users wrote:
> Why do you need it? Do you have some secondaries that are not listed
> as NS in zones?
The goal was to have the primary use a particular TSIG key when it sends
out the NOTIFY messages to the secondaries, which is achieved by turning
off the default notifies ("notify explicit"), and specifying the keys in
an "also-notify" block.
> Regarding views. Why would you have the same zone in an internal and
> external view? A few years ago, having to maintain multiple zones of
> the same name but different contents caused me problems daily. I would
> recommend having internal zones be proper delegations from external
> zones. e.g.:
> external "example.com <http://example.com>"
> internal "internal.example.com <http://internal.example.com>"
I agree that having your internal infrastructure in a sub-zone is a good
idea. But even if you do this there are valid reasons for having a
split-view of the parent zone. One reason is so that you can include
proper NS delegation records in the parent zone (e.g. in the internal
view only). (I don't remember all the details, but I seem to recall that
without these, if the parent zone is DNSSEC-signed and doesn't use the
OPT-OUT feature, then a DNSSEC-validating resolver (e.g. running "delv"
tool) would complain when querying names in the internal zone.)
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230418/758b659b/attachment.htm>
More information about the bind-users
mailing list