Unapproved AXFR?
Barry Margolin
barmar at bbnplanet.com
Tue Dec 14 19:05:33 UTC 1999
Date: Tue, 14 Dec 1999 13:58:22 -0500 (EST)
From: Dave Wreski <dave at nic.com>
> Anything else, like split DNS, requires more work to set up and has ongoing
> maintenance effort. You need to have a good reason to do this, to justify
> the work. But they don't feel the need for strong justification to add an
> "allow-transfer" line to the named.conf, and I hardly blame them. Unless
> they're deluding themselves into thinking that this is real data
> protection, I see no problem with it.
I had a question about split DNS, actually. Is there really much
difference between configuring split DNS and creating zones that are not
resolvable from unauthorized domains? Now that bind8 has allow-query, it
seems less of an advantage...
Most organizations don't want to have different zones. They want to use
company.com internally and externally, but the external version will have a
subset of the contents (just www.company.com, the MX record for
company.com, etc., but not all the internal servers and workstations). So
you need to have a server with multiple DNS configurations, or multiple
servers (many of our customers have us host the external domain, and they
have internal servers that aren't listed in delegations). Either way, you
need to make sure that the overlapping names in the domains are kept
consistent (e.g. www.company.com should work for both internal and external
clients).
--
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
More information about the bind-users
mailing list