Re: Allowing recursion for just specific zones

2010-05-11 Thread Chris Buxton
Yes, of course. I've made that mistake before, in fact. Use a custom root zone, as I believe you originally mentioned, with delegations to just the zones that should be reachable. Or else set up secure proxies and disallow all DNS resolution (an empty root zone). Chris Buxton BlueCat Networks O

Re: Out-of-zone data mistaken for glue?

2010-05-11 Thread Mark Andrews
In message <4be937b1.7070...@imperial.ac.uk>, Phil Mayers writes: > Following on from yesterdays query; if I have this zone: > > test.com. 86400 IN SOA ... > test.com. 86400 IN NS ... > foo.test.com. 86400 IN NS ns.foo.test.com. >

Re: Out-of-zone data mistaken for glue?

2010-05-11 Thread Phil Mayers
On 11/05/10 12:20, Barry Margolin wrote: In article, Phil Mayers wrote: Following on from yesterdays query; if I have this zone: test.com. 86400 IN SOA ... test.com. 86400 IN NS ... foo.test.com. 86400 IN NS ns.foo.tes

Re: Out-of-zone data mistaken for glue?

2010-05-11 Thread Barry Margolin
In article , Phil Mayers wrote: > Following on from yesterdays query; if I have this zone: > > test.com. 86400 IN SOA ... > test.com. 86400 IN NS ... > foo.test.com. 86400 IN NS ns.foo.test.com. > ns.foo.test.com. 86400 I

Out-of-zone data mistaken for glue?

2010-05-11 Thread Phil Mayers
Following on from yesterdays query; if I have this zone: test.com. 86400 IN SOA ... test.com. 86400 IN NS ... foo.test.com. 86400 IN NS ns.foo.test.com. ns.foo.test.com.86400 IN A 192.168.254.254 www.foo

Re: Splitting off a sub-zone "atomically"

2010-05-11 Thread Phil Mayers
On 05/11/2010 09:12 AM, Matus UHLAR - fantomas wrote: On 10.05.10 16:20, Phil Mayers wrote: We're doing some DNSSEC testing with sub-zones of our main zone, and I had a little accident largely due to my own incompetence today where I basically did this: 1. Existing zone "example.com"; create ne

Re: Allowing recursion for just specific zones

2010-05-11 Thread Brian Candler
On Mon, May 10, 2010 at 11:54:57AM -0700, Chris Buxton wrote: > One strategy would be to set up a view that matches recursive queries > only. Set allow-query to none at the view, then set it any (or > whatever) in each zone of type forward or stub. Thank you Chris. Unfortunately, allow-query is r

Re: Splitting off a sub-zone "atomically"

2010-05-11 Thread Matus UHLAR - fantomas
On 10.05.10 16:20, Phil Mayers wrote: > We're doing some DNSSEC testing with sub-zones of our main zone, and I > had a little accident largely due to my own incompetence today where I > basically did this: > > 1. Existing zone "example.com"; create new zone "sub.example.com" > > 2. Run a SQL->D