PLEASE READ: BIND 8.2.2 problem

Jim Reid jim at rfc1035.com
Fri Apr 28 00:57:48 UTC 2000


>>>>> "Brian" == Brian Keves <- NCS UAI Contractor <keves at synopsys.com>> writes:

    >> Well there's a message in the log saying that the zone has been
    >> rejected so the name server's hasn't exactly "quietly become
    >> non-authoritative".

    Brian> It is if no one looks at it. Strictly an internal problem I
    Brian> know, we just don't have resources to do this stuff
    Brian> manually.

Well if you can't/won't monitor your DNS logs you *really* have
problems. How many other error and trouble reports are you ignoring?

    Brian> Will need to put in something to monitor this and
    Brian> page someone.

swatch is your friend. You can even make the name server log the
severity of each message it generates so that swatch arranges for the
serious error reports to get acted on immediately.

    Brian> There are circumstances in large companies with large
    Brian> domains that we don't always control. Illegal data is one
    Brian> of those.

Fine. So leave those zones to wallow in their own self-inflicted
cesspit. That's the beauty of delegation. :-)

    Brian> Why not something like reject-on-errors no;?

Where do you draw the line? Would the above proposal allow zones that
had no SOA or NS records? Or stupid refresh/expire intervals? Or
broken/missing SIG, NXT and KEY records? Or names that belong in
another zone? Or syntax errors? Or how about missing RR data?

The bottom line is that it is not difficult to generate correct DNS
data. [And check the name server logs.] So why not do things right
instead of kludging the name server to tolerate practices that are
either illegal or downright broken?



More information about the bind-users mailing list