About root zones

Peter Andreev andreev.peter at gmail.com
Tue Jan 3 15:55:54 UTC 2012


2012/1/3 Matus UHLAR - fantomas <uhlar at fantomas.sk>:
>> 2012/1/2 Matus UHLAR - fantomas <uhlar at fantomas.sk>:
>>>
>>> I don't see your point now. I'm afraid that you will have to live with
>>> the
>>>
>>> fact that you can not disable sending queries from BIND when it needs
>>> them,
>>> you can only prevent it by configuring BIND (so it will not need them) or
>>> firewall such packets so they will not get outside (which may break its
>>> functionality).
>
>
> On 03.01.12 16:53, Peter Andreev wrote:
>>
>> My point: I need my servers to answer with authoritative data only. I
>> need them to not perform anything else. Only "get query - send
>> authoritative response". Where in this scenario BIND has to resolve
>> something?
>
>
> Nowhere. Note that BIND may send upward or root referrals, for clients that
> are allowed to view cached data (the hint zone is taken as cached). Also,
> bind can send additional data (authoritative or from cache) when configured
> so, but won't recursively resolve them.
>
> See description of additional-from-cache and additional-from-auth, maybe
> minimal-responses.
>
>

Yep, that's what I done first when problem appeared. Second step was
deleting root.hints to (as I hoped) prevent any further resolving and
caching.

>> In which scenario (except master & notifies) BIND has to resolve
>> something?
>
>
> I don't know about any.

Neither do I. Unfortunately it is not covered in documentation.

>>>
>>> Maybe ISC will patch BIND to use system resolver for internal queries,
>>> but I
>>> doubt so. Maybe you can do it but imho it's not worth trying.
>>>
>>> Maybe you can set up forward only; and forwarders {}; so BIND will
>>> forward
>>> all recursive queries it generates to your recursive servers.
>>>
>>> But the way you are trying to get over this, I'm afrait you will fail and
>>> that's what I am trying to tell you.
>>
>>
>> I'm free to replace BIND with another authoritative DNS implementation.
>
>
> Yes, you are. but i'd advise you focus on the real problem, if it exists.
> Kevin Darcy mentioned that in his response.
>
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux - It's now safe to turn on your computer.
> Linux - Teraz mozete pocitac bez obav zapnut.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
--
AP



More information about the bind-users mailing list