Negative zones; NXDOMAIN responses

Kevin Darcy kcd at chrysler.com
Tue May 21 15:17:28 UTC 2013


Ugh, I'm trying _really_ hard not to be an annoying nitpicker (yeah, I 
know, try harder :-), but...

The relevant verbiage of RFC 6762 is:

    Caching DNS servers SHOULD recognize these names as special and
    SHOULD NOT attempt to look up NS records for them, or otherwise
    query authoritative DNS servers in an attempt to resolve these
    names. Instead, caching DNS servers SHOULD generate immediate
    NXDOMAIN responses for all such queries they may receive (from
    misbehaving name resolver libraries). This is to avoid unnecessary
    load on the root name servers and other name servers.

I'm not sure that slaving the root zone (although it is the "simplest 
solution" and undoubtedly _works_) is really compatible with the letter 
or spirit of that verbiage...

                                 - Kevin

On 5/20/2013 9:03 PM, Mark Andrews wrote:
> 	The simplest solution is to slave the root zone and
> 	turn off notify to so you don't spam the official
> 	root servers.  192.5.5.241 is f.root-servers.net.
>
>
> zone "." IN {
>          type slave;
>          file "slave/root";
>          masters { 192.5.5.241; };
>          notify no;
> };
>
> 	If you want to use DNSSEC to validate the contents then
> 	you can use views to achieve this.
>
> managed-keys {
>          . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
> };
>
> view "secure" {
>          match-clients { localnets; };
>          match-recursive-only yes;
>          zone . {
>                  type static-stub;
>                  server-addresses { 127.0.0.1; };
>          };
> };
>
> view "external" {
> 	recursion no;
> 	allow-recursion { none; };
> 	zone "." IN {
> 		type slave;
> 		file "slave/root";
> 		masters { 192.5.5.241; };
> 		notify no;
> 	};
> };
>
> 	Mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130521/e4a57386/attachment.html>


More information about the bind-users mailing list