Hi, I've hit a corner-case in my BIND configuration involving automatically-created empty private zones (such as for 10.in-addr.arpa) and zone configuration via RFC 9432 catalog zone.
I think I have found a couple of manual solutions, but I'm wondering if there's a neat trick that I'm missing. ~ ~ ~ In more detail: I've configured my on-site recursive servers (currently running a distribution-supplied BIND 9.16.x) to act as hidden secondaries for our core DNS zones for resilience. Rather than manually enumerate all our core zones, including RFC 1918 reverse lookup zones, I use a catalog zone to configure the recursive resolvers with the set of zones they should mirror. This is (almost!) working perfectly. However, some private zones, such as 10.in-addr.arpa, aren't being replicated; instead, BIND has automatically created an empty version of the zone, and is serving NXDOMAINs from that empty zone to avoid inappropriately forwarding such queries to the DNS root. Ref: https://kb.isc.org/docs/aa-00800 Normally, BIND would notice any statically configured private zones and not create empty variants for them. However, because these zones aren't configured statically, but are instead populated dynamically from the catalog, BIND can't tell at start-up time that it doesn't need to create an empty version — and moreover, doesn't appear to be able to override or replace the automatically created empty zone when subsequently asked to mirror it via the catalog. This shows up in the BIND log as e.g.: > catz: zone "10.in-addr.arpa" is overridden by explicitly configured zone ... even though this zone isn't actually explicitly configured. ~ ~ ~ Now, I believe I can work around this problem by manually enumerating: disable-empty-zone "10.in-addr.arpa."; # etc. ... in my BIND configuration. However, this is suboptimal, as now the additional mirroring of some zones requires reconfiguration of the downstream secondary nameserver configuration as well as the catalog zone, which I was hoping to avoid. The alternative is to disable the creation of all empty zones entirely with `empty-zones-enable no;`, however, this is unattractive as it will fail broken. (I can try to ensure that the catalog (and local authoritative server) all reference each of the private DNS zones as required, and keep this set updated; however, any ommission will cause queries to be inappropriately forwarded to the DNS root.) ~ ~ ~ Is there an artful third way that allows me to automatically override locally-created empty zones using entries in a DNS catalog, without first disabling the safety feature in BIND that prevents private DNS queries for any unconfigured private zones from being passed up to the DNS root? (I've had a skim of the BIND changelog since the older version that I'm running, and didn't see any headline entries indicating a change in this area.) Hope that all makes sense; thanks in advance for any advice anyone can offer! Best wishes, David -- Dr. David McBride <david.w.mcbr...@durham.ac.uk> Senior Technical Specialist, Computing & Information Services -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
