critisise me ;-)

[Simon Waters]

Tom wrote:
> 
> directory "/chroot/named/etc/namedb";
>           cleaning-interval 120;

I'm curious why you felt the need to double this.

>           allow-recursion { trusted; };
>           blackhole { devnulled; };

I don't like to blackhole IP at layer 7, this belongs in the
routers IMHO, but you might regard it as security in depth, it
is a judgement call.

>           interface-interval 0;
>           allow-transfer { transhosts; };
>           allow-query { trusted; };

auth-nxdomain no; //gets rid of irritating nag message!

I don't mix authoritative and caching where I can avoid it,
should additional-from-cache be "no" in such cases?

You have some options for controlling/restricting "silly" SOA
record values from the masters you slave, I don't have much
practical experience with these settings, but sound like they
may have save you grief! (or create grief) min-refresh-time etc.

We don't know what zones your handling but we assume you did
good with 0.0.127.in-addr.arpa (and kill spurious traffic to
10.in-addr.arpa, and other RFC1918 space).