reverse zone for < class C???
Kevin Darcy
kcd at daimlerchrysler.com
Fri Jul 6 21:53:58 UTC 2001
Mark.Andrews at nominum.com wrote:
> > Mark.Andrews at nominum.com writes:
> >
> > (snip about mail filtering and such)
> >
> > > I recommend <start>-<end>.3.2.1.in-addr.arpa for the
> > > subzone name, rather than <start>-<masklen>.3.2.1.in-addr.arpa
> > > as the format is more general. It's also less error prone
> > > as you will find if you read the other messages in the list
> > > this week.
> >
> > > I also recommend that the servers for
> > > <start>-<end>.3.2.1.in-addr.arpa are also a servers for
> > > 3.2.1.in-addr.arpa (official or stealth) so that the site
> > > can resolve names internally when the connection to the
> > > outside world is down.
> >
> > I think this is in the RFC, but more ISPs don't allow zone transfers,
> > making it harder to do.
> >
> > -- glen
> >
>
> If the ISP does not allow the customer to transfer the zone
> that covers his address space then it is time to find a
> new ISP. If the ISP can't / won't provide basic support
> like this it's time to move onto a ISP that cares about
> it's customers.
>
> In general it is no more that adding a allow-transfer which
> covers the address range in addition to the slaves. Perfectly
> automatible.
If they care so much about security that they restrict zone transfers, then
they should be securing their zone transfers via TSIG. In which case, it may
not be necessary for them to change their nameserver configuration at all --
just send the customer the relevant TSIG key (through a secure channel of
course).
- Kevin
More information about the bind-users
mailing list