On 19/04/2025 02:06, Marek Kozlowski wrote:
view pub {
match-clients { any; };
Hi Marek.
What you have created looks great, and looks like it will work fine. I
have one minor suggestion though: For consistency with your other views,
and to eliminate the possibility of accidentally transferring the public
zone to a private view /as a side-effect of any future configuration
changes/, I'd change the above match-clients line to:
match-clients { !key priv1; !key priv2; key pub; any; };
This tweak will prevent the public view from being accessed with either
of the private keys. And while that isn't going to happen with your
current configuration (due to the order of the views and the
match-clients stanzas in those views), if in the future you change
something - such as adding a match-destinations stanza to one of the
other views - then there is a risk that your secondary server could
inadvertently end up transferring the zone from the public view in spite
of having signed the zone transfer request with one of the private keys.
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
