Hi.
1a correct
1b no because you have disabled recursion
1c OK But as I said, if you also have "forward only;" (recommended) it
won't try to recurse, so hints are irrelevant.
2 Your choice. Use packet captures to see what queries CS is receiving and
deal with them appropriately. Tuning must be your job as no-one else knows
your environment.
Cheers, Greg
On Fri, 8 Aug 2025 at 07:41, Renzo Marengo <buckroger2...@gmail.com> wrote:
> Hi Greg,
> Thanks for your help.
>
> 1) Just so I'm clear, if I made this configuration:
> global forwarding DISABLED
> zone "." MISSING
> recursion ENABLE
>
> a- server would contact root servers because hints are bulti-in, right ?
> b- with same configuration with recursion DISABLED, server would
> contact root servers ?
> c- in CS (cache server) is enabled both recursion and global forwarding
> , I will comment out reference of zone "." in named.conf leaving existing
> zone file.
>
> 2) Z server is "black box", I don't know its content.
> AD domain controllers forward requests for external domain to CS
> server. If I wanted to keep built-in zones, in named.rfc1912.zones file I
> should to add "127.in-addr.arpa" and "255.in-addr.arpa" zones ?
>
> Il giorno gio 7 ago 2025 alle ore 14:24 Greg Choules <
> gregchoules+bindus...@googlemail.com> ha scritto:
>
>> Hi again, Renzo.
>>
>> 1) Regarding root hints, the explicit hint zone has not been necessary in
>> BIND for many years as the hints are built-in. This applies if your
>> resolver is doing recursion. But if you are doing global forwarding - with
>> "forward only;" as well - then "zone "." {" is pointless anyway. So either
>> way, you can remove it.
>>
>> 2) BIND has a list of built-in empty zones that are for names that should
>> not reach the Internet: reserved names and addresses. I think you do not
>> need explicit zones on the box you call CS as either they are built-in
>> already or the box called Z will have them anyway. But use tcpdump to
>> monitor traffic between CS and Z and decide whether you need anything more,
>> or less in your config.
>>
>> Also, please look at 9.20.11 as I suggested last time.
>>
>> Hope that helps.
>> Cheers, Greg
>>
>>
>> On Thu, 7 Aug 2025 at 13:06, Renzo Marengo <buckroger2...@gmail.com>
>> wrote:
>>
>>> I'm replacing Caching and Forwarding DNS server (called CS) in Bind
>>> 9.16.23 which forwards all client queries to specific server Z.
>>>
>>> My doubts:
>>>
>>> 1)
>>> This CS server doesn't use root server so I can delete in named.conf
>>> this section ?
>>> zone "." IN {
>>> type hint;
>>> file "named.ca";
>>> };
>>>
>>>
>>> 2)
>>> the original named.rfc1912.zones file contains these zones:
>>> -------------------------------------------------
>>> zone "localhost.localdomain" IN {
>>> type master;
>>> file "named.localhost";
>>> allow-update { none; };
>>> };
>>>
>>> zone "localhost" IN {
>>> type master;
>>> file "named.localhost";
>>> allow-update { none; };
>>> };
>>>
>>> zone
>>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
>>> IN {
>>> type master;
>>> file "named.loopback";
>>> allow-update { none; };
>>> };
>>>
>>> zone "1.0.0.127.in-addr.arpa" IN {
>>> type master;
>>> file "named.loopback";
>>> allow-update { none; };
>>> };
>>>
>>> zone "0.in-addr.arpa" IN {
>>> type master;
>>> file "named.empty";
>>> allow-update { none; };
>>> };
>>> -------------------------------------------------
>>>
>>>
>>>
>>> My old file contains the same entries, excluded zone
>>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa,
>>> and It includes the followind extra ones:
>>>
>>> zone "127.in-addr.arpa" {
>>> type master;
>>> file "db.127";
>>> };
>>> zone "255.in-addr.arpa" {
>>> type master;
>>> file "db.255";
>>> };
>>>
>>> file db.255
>>> $TTL 604800
>>> @ IN SOA localhost. root.localhost. (
>>> 1 ; Serial
>>> 604800 ; Refresh
>>> 86400 ; Retry
>>> 2419200 ; Expire
>>> 604800 ) ; Negative Cache TTL
>>> ;
>>> @ IN NS localhost.
>>>
>>>
>>> file db.127
>>> $TTL 604800
>>> @ IN SOA localhost. root.localhost. (
>>> 1 ; Serial
>>> 604800 ; Refresh
>>> 86400 ; Retry
>>> 2419200 ; Expire
>>> 604800 ) ; Negative Cache TTL
>>> ;
>>> @ IN NS localhost.
>>> 1.0.0 IN PTR localhost.
>>>
>>> What do you think ?
>>> I can delete both "127.in-addr.arpa" and "255.in-addr.arpa"zones ?
>>> And about
>>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
>>> zone ? I have t keep it ?
>>>
>>> Thanks
>>>
>>>
>>>
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>> from this list
>>>
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
