Hi Greg,
Thanks for your help.
1) Just so I'm clear, if I made this configuration:
global forwarding DISABLED
zone "." MISSING
recursion ENABLE
a- server would contact root servers because hints are bulti-in, right ?
b- with same configuration with recursion DISABLED, server would
contact root servers ?
c- in CS (cache server) is enabled both recursion and global forwarding ,
I will comment out reference of zone "." in named.conf leaving existing
zone file.
2) Z server is "black box", I don't know its content.
AD domain controllers forward requests for external domain to CS
server. If I wanted to keep built-in zones, in named.rfc1912.zones file I
should to add "127.in-addr.arpa" and "255.in-addr.arpa" zones ?
Il giorno gio 7 ago 2025 alle ore 14:24 Greg Choules <
gregchoules+bindus...@googlemail.com> ha scritto:
> Hi again, Renzo.
>
> 1) Regarding root hints, the explicit hint zone has not been necessary in
> BIND for many years as the hints are built-in. This applies if your
> resolver is doing recursion. But if you are doing global forwarding - with
> "forward only;" as well - then "zone "." {" is pointless anyway. So either
> way, you can remove it.
>
> 2) BIND has a list of built-in empty zones that are for names that should
> not reach the Internet: reserved names and addresses. I think you do not
> need explicit zones on the box you call CS as either they are built-in
> already or the box called Z will have them anyway. But use tcpdump to
> monitor traffic between CS and Z and decide whether you need anything more,
> or less in your config.
>
> Also, please look at 9.20.11 as I suggested last time.
>
> Hope that helps.
> Cheers, Greg
>
>
> On Thu, 7 Aug 2025 at 13:06, Renzo Marengo <buckroger2...@gmail.com>
> wrote:
>
>> I'm replacing Caching and Forwarding DNS server (called CS) in Bind
>> 9.16.23 which forwards all client queries to specific server Z.
>>
>> My doubts:
>>
>> 1)
>> This CS server doesn't use root server so I can delete in named.conf this
>> section ?
>> zone "." IN {
>> type hint;
>> file "named.ca";
>> };
>>
>>
>> 2)
>> the original named.rfc1912.zones file contains these zones:
>> -------------------------------------------------
>> zone "localhost.localdomain" IN {
>> type master;
>> file "named.localhost";
>> allow-update { none; };
>> };
>>
>> zone "localhost" IN {
>> type master;
>> file "named.localhost";
>> allow-update { none; };
>> };
>>
>> zone
>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
>> IN {
>> type master;
>> file "named.loopback";
>> allow-update { none; };
>> };
>>
>> zone "1.0.0.127.in-addr.arpa" IN {
>> type master;
>> file "named.loopback";
>> allow-update { none; };
>> };
>>
>> zone "0.in-addr.arpa" IN {
>> type master;
>> file "named.empty";
>> allow-update { none; };
>> };
>> -------------------------------------------------
>>
>>
>>
>> My old file contains the same entries, excluded zone
>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa,
>> and It includes the followind extra ones:
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "db.127";
>> };
>> zone "255.in-addr.arpa" {
>> type master;
>> file "db.255";
>> };
>>
>> file db.255
>> $TTL 604800
>> @ IN SOA localhost. root.localhost. (
>> 1 ; Serial
>> 604800 ; Refresh
>> 86400 ; Retry
>> 2419200 ; Expire
>> 604800 ) ; Negative Cache TTL
>> ;
>> @ IN NS localhost.
>>
>>
>> file db.127
>> $TTL 604800
>> @ IN SOA localhost. root.localhost. (
>> 1 ; Serial
>> 604800 ; Refresh
>> 86400 ; Retry
>> 2419200 ; Expire
>> 604800 ) ; Negative Cache TTL
>> ;
>> @ IN NS localhost.
>> 1.0.0 IN PTR localhost.
>>
>> What do you think ?
>> I can delete both "127.in-addr.arpa" and "255.in-addr.arpa"zones ?
>> And about
>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
>> zone ? I have t keep it ?
>>
>> Thanks
>>
>>
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
