On 06/01/13 12:46, Martin D Kealey wrote:
This isn't an NZ specific question, and also perhaps a bit basic; hope that's OK.
Packaged (Debian, Ubuntu anyway) versions of BIND come with various default zones configured - localhost, broadcast and root hints.
Are any of these actually necessary for an authoritative-only name server? It seems to me they're mostly/only useful for short-circuiting simple/standard queries on a resolver. Is that right?
They're not necessary strictly from a serving-authoritative-answers perspective.
But because you're running a general-purpose OS, other packages on the OS may require name resolution, and if you have a nameserver installed, that generally forces it to be the resolver for local queries. (For example, cron jobs may generate email, and those may need to look up MX and/or SPF records.)
Um, surely locally generated queries will go wherever resolv.conf tells them - which is not the local BIND.
So you could either (a) provide an off-host resolver (presumably elsewhere in your cluster), or (b) run a separate on-host resolver and arrange for the two services to listen on different addresses (resolver on 127.0.0.1& auth on "others"), or (c) run BIND in split-view mode.
There's no harm leaving the root hints in place - a "hint" zone is only used when BIND itself needs to look something up, never for answers to queries (although they might find their way into the "additional" section).
Running BIND with split views is (was, anyway) the end (well, intermediate) goal. Last time I did that, I had to rearrange all the conf files, because once you use views, everything has to be in a view - including those zones I mentioned - so the standard Debian layout no longer works. In fact, I don't think I want to use views in my case anyway; there are better ways to solve my underlying issue (testing my new mail server without breaking the old one, on the same fqdn) - I can run a BIND on my desktop that overrides the real data. But perhaps it would be useful to work out a default layout that cleanly supports views (if that's possible) that I could propose to the Debian maintainer. Thanks, Richard