Precautions for upgrading from 9.7.7 to 9.9.2-P2

Lawrence K. Chen, P.Eng. lkchen at
Fri Mar 29 16:00:11 UTC 2013

----- Original Message -----
> In message <22783305.318587.1364508740276.JavaMail.root at>,
> "Lawrence
>  K. Chen, P.Eng." writes:
> > Hmmm, I forget just what all I muttered when I upgraded from 9.7 to
> > 9.9.2-P1.
> >   I think the main beef I had was doing it the day before I left
> >   for LISA'12.
> > ... guess I didn't join this list until around that time.
> > 
> > As, I recall...the main thing that tripped me up was change in
> > empty-zones be
> > havior.  It needs to be explicitly disabled (either totally or just
> > for the z
> > ones you use).
> Which is only a issues if you have a forward "zone" below a empty
> zone without a intervening master/slave/stub zone.
> As I have stated before forward zones were designed for two purposes.
> * performance increases by accessing a centralised cache
> * work around firewall issues
> Forward zones were not designed to graft on internal namespaces.
> That they sometimes succeed at doing this is down to good luck.
> Forward zones work by redirecting where a recursing request is sent.
> The do not create a delegation in zones loaded onto the nameserver.
> Basic zone management (master/slave) zones is capable of grafting
> on namespaces and if you don't want to have a full zone transfered
> to slaves then stub zones were designed to allow you to graft on a
> namespace.

But, before 9.9, the default behavior was all emtpy zones except RFC1918.  In 9.9, the default behavior became all empty zones including RFC1918.

Plus the forward zones that I have are only for forward DNS lookups.  The (windows) servers are in a tightly firewalled that insecure processes can continue until somebody gets around to securing them.  Seems the admin assigned to fix that either gets fired or quits.  But, the hosts in those subdomains aren't confined to defined subnet(s) there are just master/slave zone definitions for our IP spaces.

Though there's a subset of caching servers that have forwards to direct lookups to our rbldnsd server

And, the forward zone definitions are at the end of my configuration after all the master and slave zone blocks.

All the RFC1918 address are covered by master/slave zone definitions on my DNS servers.

> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at

Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at
Web: - Where: 11 Hale Library

More information about the bind-users mailing list