On 2013-01-05, at 18:46, Martin D Kealey
This isn't an NZ specific question, and also perhaps a bit basic; hope that's OK.
Packaged (Debian, Ubuntu anyway) versions of BIND come with various default zones configured - localhost, broadcast and root hints.
Are any of these actually necessary for an authoritative-only name server? It seems to me they're mostly/only useful for short-circuiting simple/standard queries on a resolver. Is that right?
They're not necessary strictly from a serving-authoritative-answers perspective.
A response to a query following a lame delegation will often result in a referral to the root, for which some knowledge of the root zone NS set (and corresponding glue) is necessary. An authoritative server doesn't need any of the default local zones (RFC 6303) configured.
But because you're running a general-purpose OS, other packages on the OS may require name resolution, and if you have a nameserver installed, that generally forces it to be the resolver for local queries.
If that's true, I think you're using a weirdly-packaged OS.
(For example, cron jobs may generate email, and those may need to look up MX and/or SPF records.)
I generally run a dedicated validator on every server bound to a loopback address only, and point to that validator from /etc/resolv.conf. Any authoritative server running on the same host will be bound to non-loopback interfaces. To avoid packaging complications (many systems, for example, are not packaged with the expectation that you would run two instances of BIND9 on a single machine) I tend to use unbound as the validator which leaves me free to choose between BIND9/NSD/knot/yadifa/whatever as the authority server. I strongly dislike configuration of nameservers which facilitates both recursive and authoritative-only behaviour in the same nameserver instance, regardless of whether they use BINDisms like views.
There's no harm leaving the root hints in place - a "hint" zone is only used when BIND itself needs to look something up, never for answers to queries (although they might find their way into the "additional" section).
The hints file is used as input for priming. If you don't specify a hints file with BIND9 it will use a hints file which is hard-coded into the binary. Joe