<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 18/04/2023 2:43 am, Greg Choules via
bind-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANsEUy2wi0=wXq476KmtHdyGUVury6ov8rur3B+2H_d7tAxZRA@mail.gmail.com">
<div>Why do you need it? Do you have some secondaries that are not
listed as NS in zones?</div>
</blockquote>
<p>The goal was to have the primary use a particular TSIG key when
it sends out the NOTIFY messages to the secondaries, which is
achieved by turning off the default notifies ("notify explicit"),
and specifying the keys in an "also-notify" block.<br>
</p>
<blockquote type="cite"
cite="mid:CANsEUy2wi0=wXq476KmtHdyGUVury6ov8rur3B+2H_d7tAxZRA@mail.gmail.com">
<div>Regarding views. Why would you have the same zone in an
internal and external view? A few years ago, having to maintain
multiple zones of the same name but different contents caused me
problems daily. I would recommend having internal zones be
proper delegations from external zones. e.g.:</div>
<div>external "<a href="http://example.com" moz-do-not-send="true">example.com</a>"</div>
<div>internal "<a href="http://internal.example.com"
moz-do-not-send="true">internal.example.com</a>"</div>
</blockquote>
<p>I agree that having your internal infrastructure in a sub-zone is
a good idea. But even if you do this there are valid reasons for
having a split-view of the parent zone. One reason is so that you
can include proper NS delegation records in the parent zone (e.g.
in the internal view only). (I don't remember all the details, but
I seem to recall that without these, if the parent zone is
DNSSEC-signed and doesn't use the OPT-OUT feature, then a
DNSSEC-validating resolver (e.g. running "delv" tool) would
complain when querying names in the internal zone.)</p>
<p>Nick.<br>
</p>
</body>
</html>