Negative zones; NXDOMAIN responses

Mark Andrews marka at isc.org
Tue May 21 01:03:52 UTC 2013


	The simplest solution is to slave the root zone and
	turn off notify to so you don't spam the official
	root servers.  192.5.5.241 is f.root-servers.net.


zone "." IN {
        type slave;
        file "slave/root";
        masters { 192.5.5.241; };
        notify no;
};

	If you want to use DNSSEC to validate the contents then
	you can use views to achieve this.

managed-keys {
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};

view "secure" {
        match-clients { localnets; };
        match-recursive-only yes;
        zone . {
                type static-stub;
                server-addresses { 127.0.0.1; };
        };
};

view "external" {
	recursion no;
	allow-recursion { none; };
	zone "." IN {
		type slave;
		file "slave/root";
		masters { 192.5.5.241; };
		notify no;
	};
};

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list