I am upgrading and redeploying some authoritative-only BIND servers. Two
questions about some fine points:
What to set 'dnssec-validation'? Just let it default to 'auto?' There is no
need or opportunity for an authoritative-only server to validate (right?).
Should we actively switch it off, set it to 'no?' For example, does setting
it to 'no' reduce any resource use or reduce the security vulnerability
space?
This is bordering on aesthetic (maybe the first one is too), but what to do
about the compiled-in root hints? Even on my authoritative-only server with
"recursion no," every forty-five minutes or so, it's trying to go to the
root servers and retrieve the NS and DNSKEY RRs for the root. It's blocked
since there is no reason for this server to do outbound DNS, except to its
hidden masters, so it just keeps trying and cluttering the firewall logs.
What's the best way to stop this behavior? Is there a configuration option?
I did this,
zone "." {
type primary;
file "primary/empty-zone.db";
allow-query { none; };
};
Which seems to do the trick, but is that the cleanest way? Any problems
with that approach that I haven't considered?
Oh, one final bonus question, is there any difference between specifying
'none' and '!all' in a server list, ACL, etc.? I prefer 'none', but the old
configurations used '!all'. Can I change those without worrying?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
