On 11/16/2021 2:41 AM, Tony Finch wrote:
John Thurston <john.thurs...@alaska.gov> wrote:
If I have a Reverse Policy Zone (RPZ) defined, I can define a specific answer
to be sent for a specific record-type for a specific name:
foo.bar.com IN A 10.11.12.13
foo.bar.com IN TXT "Hello World"
But I can't seen to define one for the record-type NS
Is this possible?
The RPZ documentation doesn't say you can't include NS records as "local
data", but I guess you might trip over BIND's checks for what makes sense
at a zone cut: in a normal zone you can't have A and TXT and NS at the
same name (unless it's the zone apex).
But even if it did work, it's unlikely to do what you want. (You didn't
say why you want NS records so that's a somewhat risky assumption...)
TLDR; I'm trying to cover up someone else's mess
I didn't describe the reason because it is painful.
We use products from Major Software (hereafter referred to as MS). They
use DNS to provide pointers to public and private versions of similar
services. These pointers are served from public or private authoritative
servers owned and operated by MS. The zones defined on the public
authorities contain both SOA and NS records for each zone. The zones
defined on the private authorities have only the SOA records.
Per RFC, an SOA and NS are the minimal records required of a zone. When
we define forward-zones in our internal resolvers (e.g. Please send
queries for these private names directly to this MS resolver), our
automated monitoring system goes berserk. "Danger! Danger! The zone
privatelink.MS.net is invalid! It has no NS record!! Danger! Something
is wrong! Stop forwarding! Call the Authorities!"
I recognize MS probably doesn't care they are serving up an invalid
zone. I also recognize that my bosses probably are not going to quit
using products and services from MS. I don't want to try to dismantle
(or cripple) the monitoring system which is keeping an eye on all the
other zones for which we forward. I'm, therefore, left trying to imagine
someway to abuse something in my control so my monitoring system doesn't
notice these private MS zones are invalid.
I had _hoped_ I could use an RPZ to say:
privatelink.MS.net IN NS 127.0.0.1
My monitoring system would query DNS, find the SOA (from the real
authorities) and an NS (from my RPZ) and go away happy.
I recognize that the correct answer is to convince MS to correctly
publish their private zones. But after a couple of decades of working
with products from Major Software, I have more confidence I'll score on
the next Powerball than they will acknowledge the deficiency (let alone
consider correcting it).
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
