North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The power of default configurations

  • From: Jon Lewis
  • Date: Thu Apr 07 14:05:55 2005

On Thu, 7 Apr 2005, Eric A. Hall wrote:

> This setup works if you know the server is the last resort for your local
> clients. It doesn't work as a default install unless you are also willing
> to scream warnings about changing the defaults everytime named.conf is
> modified for local use.

Would you really have to scream?  i.e. named (at least on redhat) comes
with something like:

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};
$TTL    86400
$ORIGIN localhost.
@                       1D IN SOA       @ root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        1D IN A         127.0.0.1

How many admins mess with that?  Unless they had reason to (i.e. maybe
they use some 1918 space internally and want to setup DNS for it), I doubt
that they'd remove similar zone entries intended to be a sink for RFC1918
PTR queries.

> Besides which, you'd really prefer to have an internal filter kill the
> queries before they are sent to the root (as part of chasing down the
> delegation chain), or before it was sent to the authoritative servers for
> in-addr.arpa. (if such was already learned), rather than make users
> remember to change the configuration file.

Defining the zones locally keeps their queries from getting to the
root/in-addr.arpa servers.

I think I agree with you on losing the * entry, and just letting it return
nxdomain.

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________