allow-notify in catalog zones?

[Tony Finch]

Wolfgang Gehrke <wolfgang.gehrke at netplace.com> wrote:

> BIND 9.11 introduces catalog zones to simplify the management of slave
> servers. The documentation just mentions support for the "masters" (also
> with key), "allow-query" and "allow-transfer" options within the
> contents of a catalog zone.

I've been hoping someone more expert than me would reply to this since I
am also curious about catalog zones, but I haven't tried them out yet.

> Can the "allow-notify" option be used, too, as an APL RR or does the
> "masters" option implicitly allow for notifications from the
> corresponding master (e.g. in cases where this master does not occur in
> the NS RRs of that zone)?

The allow-notify option is in addition to the zone's masters list.
Notifies are implicitly allowed from servers in the masters list. The
zone's NS records are used for sending notifies, not for accepting them.

> Generally speaking: are catalog zones already fully equivalent to the
> configuration possibilities by editing a file or executing rndc commands?

I don't think it's quite complete yet - for instance, I don't think you
can include a TSIG key in an acl in a catz.

(I would quite like to be able to set up a catz which refers to named
masters lists and named ACLs defined in named.conf, since that is how my
current zone provisioning works. Named lists make the dynamic zone config
much simpler, though the coupling to the static part of the server config
is a bit unfortinate. But TSIG keys have the same kind of coupling.)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Malin: South or southeast 6 to gale 8. Rough or very rough. Rain or showers.
Moderate or good.