Zone hint

Kevin Darcy kcd at
Mon Oct 8 22:39:05 UTC 2001

Rainaldo Augusto Silva wrote:

> Hi all,
>   I´m in doubt about some issues related to ´hint zone´... Please, let
> me know additional informations:
>     1) What are accepted options in ´hint zone´ (BIND8.2.3)? I have
> seen (in docs.) only ´check-names´ option is accepted... Is it true?

As far as I know, yes. I can't think of anything else that would make
sense there.

>     2) If yes/true (above), why others options is not accepted in hint
> zone (like: forwarders, allow-query, etc...)? I would like inhibit the
> BIND lookup for new root-servers when it is started...

No, you are misunderstanding what a hints zone is. It's just a way for
the nameserver to find the root servers. It's not "zone data", just
"hints", so it makes no sense to put an "allow-query" or
"forwarders" option on it. Once the real root data is obtained, the hints
data are essentially discarded.

Why would you want to restrict query access to the root zone anyway?
I can't think of any legitimate reason to do that.

And what do you hope to achieve by putting "forwarders" at the root zone,
that cannot be achieved by specifying "forwarders" in the
"options" statement?

>     3) Are there some method to inhibit BIND don´t ask (lookup) for
> others root-servers assigned in db.root? I mean, we have four internal
> root-server assigned in ´my´ db.cache, and when I start BIND (named)
> they are ignored (overwrited)... I believe that happens because there
> are a ´forwarders { bla; bla...; };´ statement in named.conf ´global
> options´. This (BIND) behavior is true/correct? Why? (detail: I must
> have the ´forwarders´ statement in global options, because my clients
> need to be resolving internet names AND intranet names).
>   I have already heard sounds like (DNS & BIND Book): ´It will not
> work, because intranet names resolutions are not compatible with
> internet name resolutions´. But I didn´t believe this... :-)

Believe it. There is only *one* root zone, as far as any given nameserver
is concerned. Either it sees the internal root zone (through the hints
file) or it sees the external one (through the forwarders). There is no
way -- and no reason -- for it to see *both*. If you want to resolve both
internal and external names from the same nameserver, then you need to
define all of your internal domains on the nameserver. Note that you
don't have to define all of the internal *zones* on the nameserver -- you
can just define the apex of every internal domain and specify "forwarders
{ }" in the zone definition in order to inhibit forwarding for

- Kevin

More information about the bind-users mailing list