reverse zone of type forward when /28 subnet

Dmitri Tarkhov tarkhov at dionaholding.ru
Sat Dec 29 11:05:49 UTC 2012


Hi,
this finally works:

view "reverse1" IN {
         recursion yes;
         zone "z.y.x.in-addr.arpa" IN { type forward; forward only;
                 forwarders { A; B; }; };

zone "localhost" IN { type master;
         file "master.localhost"; };

zone "0.0.127.in-addr.arpa" IN { type master;
         file "localhst.rev"; };
};

And Happy New Year!

Dmitri Tarkhov wrote:

> Hi, all,
> 
> thank you very much for discussion. It was interesting and very useful.
> You can pretty well imagine that I am not much dns involved,
> I am rather unix and unix HW guy.
> Unfortunately I saw dns cache poisoning attack and although it could be
> provoked by side effects it's better to get rid of it altogether.
> For just 14 (241-254) addresses it is not difficult to maintain 2 types
> of master zones in sync (RFC 2317 and RFC 1035) and it's enough to put a
> couple of comment lines to not forget it later.
> Yes, life is short but this is not the reason to not train the brain,
> can help to hook a life a bit longer ...
> Bring stir to the chicken coop and request compliance is generally
> good idea and fingers itch but I don't expect much from our ISPs ...
> So first I'll try "type forward" within a view,
> then I'm sure, one address zones can serve me right.
> I will also contact the ISP but without great expectations.
> 
> Why I do all this is:
> - enforce security
> - assure stable mail exchange (which depends on reverse resolving)
> 
> Mark Andrews wrote:
> 
>> In message <50DCD454.2070303 at dougbarton.us>, Doug Barton writes:
>>
>>> On 12/27/2012 11:18 AM, Mark Andrews wrote:
>>>
>>>> zone "241.Z.X.Y.IN-ADDR.ARPA" {
>>>>     type master;
>>>>     file "241.Z.X.Y.IN-ADDR.ARPA";
>>>> };
>>>
>>>
>>> That's great locally, but it doesn't match the 2317 delegation from 
>>> the upstream, and usually it's not possible to change what they send 
>>> you.
>>>
>>> Or are you suggesting maintaining both the individual versions of the 
>>> zones, and the 2317 zone?
>>
>>
>>
>> No.  I'm suggesting that they tell their ISP to do RFC 2317 right
>> or do RFC 1035 delegations.   If their ISP won't do either change
>> ISP.
>>
>>
>>> Doug
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 

-- 
Best regards,
Dmitri Tarkhov




More information about the bind-users mailing list