Ray Bellis <r...@bellis.me.uk> wrote:
> On 26/10/2018 12:57, Bjørn Mork wrote:
>
> > I'd also like to repeat my previous comment on the BIND example
> > config: Configuring a "static-stub" root zone has some unexpected
> > consequences. It makes the server refuse non-recursive queries for
> > root instead of redirecting. Not a big problem, but it does make
> > "dig +trace" fail with such a server as starting point.
The setup I have on my toy server uses `match-recursive-only` on the
recursive view, which avoids this problem. It has the side-effect that
RD=0 queries do not probe the cache, but I haven't noticed any problems
due to that. (But this server is only used by me so it doesn't get a wide
variety of weird traffic.)
> > It would be nice to see this issue discussed in the RFC, including
> > justification of the "static-stub" zone type. The reason for that
> > choice is not obvious. To me, at least.
>
> From my (admittedly limited) testing I don't think there's any other
> BIND zone type that would work. When I tried "type forward" it sent not
> just the root zone queries to the specified server but *all* queries for
> all sub-domains thereof, too.
A `forward` zone makes `named` act as a recursive client for that part of
the namespace, so if you point it at an authoritative server for that
zone, you won't get the right answer for any delegations or out-of-zone
CNAMEs.
A `stub` zone works kind of like root hints: `named` queries the
configured server for the zone's NS records, then uses those. So it can't
be used to redirect queries to an unofficial secondary.
Directly using a `slave` zone in the recursive view suppresses validation,
so it can't detect on-the-wire mangling in the way the `static-stub` setup
does.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Lundy, Fastnet, Irish Sea: North 5 to 7, occasionally gale 8. Moderate or
rough. Squally showers, perhaps wintry later. Good occasionally moderate.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
