Authoritative DNS config
This isn't an NZ specific question, and also perhaps a bit basic; hope that's ok. Packaged (debian, ubuntu anyway) versions of BIND come with various default zones configured - localhost, broadcast and root hints. Are any of these actually necessary for an authoritative-only name server? It seems to me they're mostly/only useful for short-circuiting simple/standard queries on a resolver. Is that right? Not having any other zones than my own in my config would make it somewhat easier to configure views. Thanks, Richard
This isn't an NZ specific question, and also perhaps a bit basic; hope that's OK.
Packaged (Debian, Ubuntu anyway) versions of BIND come with various default zones configured - localhost, broadcast and root hints.
Are any of these actually necessary for an authoritative-only name server? It seems to me they're mostly/only useful for short-circuiting simple/standard queries on a resolver. Is that right?
They're not necessary strictly from a serving-authoritative-answers perspective. But because you're running a general-purpose OS, other packages on the OS may require name resolution, and if you have a nameserver installed, that generally forces it to be the resolver for local queries. (For example, cron jobs may generate email, and those may need to look up MX and/or SPF records.) So you could either (a) provide an off-host resolver (presumably elsewhere in your cluster), or (b) run a separate on-host resolver and arrange for the two services to listen on different addresses (resolver on 127.0.0.1 & auth on "others"), or (c) run BIND in split-view mode. There's no harm leaving the root hints in place - a "hint" zone is only used when BIND itself needs to look something up, never for answers to queries (although they might find their way into the "additional" section). So the answer is "it depends". -Martin
On 06/01/13 12:46, Martin D Kealey wrote:
This isn't an NZ specific question, and also perhaps a bit basic; hope that's OK.
Packaged (Debian, Ubuntu anyway) versions of BIND come with various default zones configured - localhost, broadcast and root hints.
Are any of these actually necessary for an authoritative-only name server? It seems to me they're mostly/only useful for short-circuiting simple/standard queries on a resolver. Is that right?
They're not necessary strictly from a serving-authoritative-answers perspective.
But because you're running a general-purpose OS, other packages on the OS may require name resolution, and if you have a nameserver installed, that generally forces it to be the resolver for local queries. (For example, cron jobs may generate email, and those may need to look up MX and/or SPF records.)
Um, surely locally generated queries will go wherever resolv.conf tells them - which is not the local BIND.
So you could either (a) provide an off-host resolver (presumably elsewhere in your cluster), or (b) run a separate on-host resolver and arrange for the two services to listen on different addresses (resolver on 127.0.0.1& auth on "others"), or (c) run BIND in split-view mode.
There's no harm leaving the root hints in place - a "hint" zone is only used when BIND itself needs to look something up, never for answers to queries (although they might find their way into the "additional" section).
Running BIND with split views is (was, anyway) the end (well, intermediate) goal. Last time I did that, I had to rearrange all the conf files, because once you use views, everything has to be in a view - including those zones I mentioned - so the standard Debian layout no longer works. In fact, I don't think I want to use views in my case anyway; there are better ways to solve my underlying issue (testing my new mail server without breaking the old one, on the same fqdn) - I can run a BIND on my desktop that overrides the real data. But perhaps it would be useful to work out a default layout that cleanly supports views (if that's possible) that I could propose to the Debian maintainer. Thanks, Richard
On 2013-01-05, at 18:46, Martin D Kealey
This isn't an NZ specific question, and also perhaps a bit basic; hope that's OK.
Packaged (Debian, Ubuntu anyway) versions of BIND come with various default zones configured - localhost, broadcast and root hints.
Are any of these actually necessary for an authoritative-only name server? It seems to me they're mostly/only useful for short-circuiting simple/standard queries on a resolver. Is that right?
They're not necessary strictly from a serving-authoritative-answers perspective.
A response to a query following a lame delegation will often result in a referral to the root, for which some knowledge of the root zone NS set (and corresponding glue) is necessary. An authoritative server doesn't need any of the default local zones (RFC 6303) configured.
But because you're running a general-purpose OS, other packages on the OS may require name resolution, and if you have a nameserver installed, that generally forces it to be the resolver for local queries.
If that's true, I think you're using a weirdly-packaged OS.
(For example, cron jobs may generate email, and those may need to look up MX and/or SPF records.)
I generally run a dedicated validator on every server bound to a loopback address only, and point to that validator from /etc/resolv.conf. Any authoritative server running on the same host will be bound to non-loopback interfaces. To avoid packaging complications (many systems, for example, are not packaged with the expectation that you would run two instances of BIND9 on a single machine) I tend to use unbound as the validator which leaves me free to choose between BIND9/NSD/knot/yadifa/whatever as the authority server. I strongly dislike configuration of nameservers which facilitates both recursive and authoritative-only behaviour in the same nameserver instance, regardless of whether they use BINDisms like views.
There's no harm leaving the root hints in place - a "hint" zone is only used when BIND itself needs to look something up, never for answers to queries (although they might find their way into the "additional" section).
The hints file is used as input for priming. If you don't specify a hints file with BIND9 it will use a hints file which is hard-coded into the binary. Joe
participants (3)
-
Joe Abley -
Martin D Kealey -
Richard Hector