Zone hints for VPN environments

Andreas Meile mailingliste at
Wed Feb 17 16:52:56 UTC 2016

Hello Darcy and other posters

----- Original Message ----- 
From: "Darcy Kevin (FCA)" <kevin.darcy at>
To: <bind-users at>
Sent: Tuesday, February 16, 2016 1:42 AM
Subject: RE: Zone hints for VPN environments

> Note that there are additional considerations if there are any descendant
> (child, grandchild, etc.) zones of

Thanks for all your comments. I already have recognized that this is a more 
complex problem that I thought first.

> Another poster suggested "type slave", i.e. replicating the zone contents 
> via the
> standards-defined AXFR/IXFR features of the protocol. While I'm generally 
> a big fan
> of zone replication, between different legal entities there is often a 
> concern about
> unintentional information disclosure.

This is a good point but: Some VPN links are not always connected (the 
customer must explicitely activate it when a support operation is needed and 
disconnect when finished) so my named would produce a lot error log (and 
even loose all cached information after 14 days) during the closed VPN 
phase. Additionally in case of deeper DNS zones, for example, addition slave configuration on my named and 
always keeping updated manually the zone list is needed.

This is the reason why I prefer a solution to say to my named: "When 
resolving something in and deeper, use For all 
other domains, use and/or or even the public root 
hints." => It does not hurt when is sometimes not reachable 
because outside a VPN session, I don't need to resolve any host names inside into their IP addresses when no such service operation is 

" was ist das? Ich kenne nur ::1!" -

More information about the bind-users mailing list