Implementing Views : root and loopback

Kevin Darcy kcd at daimlerchrysler.com
Tue Dec 10 15:33:30 UTC 2002 

Walker Simon-SWALKER1 wrote:

> Hi everyone,
>
> I am reading about the use of a view in the DNS 9.22rc1 and see that this is a good security feature.
>
> What I wanted to ask was about the loopback and root hint zone.
>
> In O'reilly there is an example of using views and it says that "if you configure even one view statement, all your zone statements must appear with explicit views"
>
> The Example :
>
> options {
>         directory "/var/named";
> };
>
> acl "fx-subset" { 192.168.254/24; };
>
> view "internal" { // internal view of our zones
>
>      match-clients {"fx-subnet"; };
>
>      zone "fx.movie.edu" {
>            type master;
>            file "db.fx.movie.edu";
>      };
>
>      zone "254.168.192.in-addr.arpa" {
>            type master;
>            file "db.192.168.254";
>      };
> };
>
> view "external" { //view of our zones for the rest of the world
>
>       match-clients { any; }; // implicit
>       recursion no;           // outside of our subnet, they shouldn't be
>                               // requesting recursion
>
>       zone "fx.movie.edu" {
>             type master;
>             file "db.fx.movie.edu.external"; // external zone data file
>       };
>
>       zone "254.168.192.in-addr.arpa" {
>             type master;
>             file "db.192.168.254.external"; // external zone data file
>       };
> };
>
> So the question is what do I do with the "0.0.127.in-addr.arpa" and "." zone?
>
> Do I need to add them to each view, both internal and external? or keep them only for the internal view?
>
> As I write this I think the internal view...am I wrong?

You should only need to define 0.0.127.in-addr.arpa zone in the view which is going to be answering queries from 127.0.0.1.

My guess is that you don't really need to define the root zone in your views if you all you want to do is use the Internet root nameservers. This is because named will
use a compiled-in set of root-nameserver information if nothing is specified (surprisingly, a quick check of _DNS_and_BIND_, 4th Edition doesn't reveal anything about
this fallback behavior). If you have an internal root zone, however, you may want to override this behavior by explicitly defining a root zone in one or both views.

                                                                                                                        - Kevin

More information about the bind-users mailing list