<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">The option is enabled by default however if you forward all queries then the automatic zones won’t be created and the forwarder is responsible for filtering. This is done like this because lots of people use forwarding to get to the internal servers that serve these zones. <div><br></div><div>Just create empty zones in named.conf. If the automatic creation doesn’t work with the rest of your configuration.</div><div><br></div><div>The log messages are there to tell you that queries are still leaking. </div><div><br></div><div>Given your other questions about 10.in-addr.arpa I would really set it up and delegate based on which address blocks are assigned to whom. Allow the zone to be transferred to any 10.0.0.0/8 address by default. Add in other server address or TSIG keys as different departments request access to it. Start with an empty zone and delegations for the addresses you are using yourself and build up from there. Turn off forwarding in this zone’s configuration by using an empty forwarders clause ( forwarders { /* empty */ }; ). </div><div><br></div><div>I know you said this was a lost cause but it doesn’t have to be 100% perfect. It can be built up over time.</div><div><br><div dir="ltr">-- <div>Mark Andrews</div></div><div dir="ltr"><br><blockquote type="cite">On 23 Sep 2023, at 02:45, John Thurston <john.thurston@alaska.gov> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>The global/view option</p>
<blockquote>
<p>empty-zones-enable yes; <br>
</p>
</blockquote>
<p>isn't behaving as I expected. <br>
</p>
<p>I had expected that it would cause empty "RFC 1918" zones to be
created for those zones for which there were not local zones
defined. That is, if there were no local zones of this type
defined, it would create all the required empty zones. But if
10.in-addr.arpa was defined locally, it would skip that but define
the rest of them.</p>
<p>After looking at my logs, and seeing that I'm leaking RFC 1918
queries, I see my expectations were wrong.<br>
</p>
<p>Is explicitly defining the remaining empty zones the best way to
correct this?</p>
<p>Or maybe add the un-used RFC 1918 zones to our RPZ?<br>
</p>
<pre class="moz-signature" cols="72">--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
<a class="moz-txt-link-abbreviated" href="mailto:John.Thurston@alaska.gov">John.Thurston@alaska.gov</a>
Department of Administration
State of Alaska</pre>
<span>-- </span><br><span>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></div></body></html>