[Techtalk] O BIND gurus: authoritative v caching and root zones and stuff

Devdas Bhagat devdas at dvb.homelinux.org
Sun Aug 22 23:13:33 EST 2004 

On 22/08/04 10:37 -0700, Carla Schroder wrote:
> OK I'm back with another installment of 'DNS Barbie says BIND is hard!'
> 
DNS is hard.

> I have a caching server on one machine, and my authoritative server for my 
> domain on a different machine, like good and wise DNS admins are supposed to 
> do. This is my named.conf for the caching server:
> 
> 
> //
> // sample BIND configuration file
> //
> 
> options {
>   // tell named where to find files mentioned below
>   directory "/var/named";
>   // on a multi-homed host, you might want to tell named
>   // to listen for queries only on certain interfaces
>   listen-on { 127.0.0.1; 10.11.12.0/24; }
> }
> 

Interfaces are not subnets.

options {
	directory "/var/named";
	listen-on {
		127.0.0.1;
		10.11.12.1;
	};
	allow-recursion {
		127.0.0.0/8;
		10.11.12.0/24;
	};
};

// This keeps other peoples misconfigured servers out of my logs.
// Telling them about it would be nice, but I can't be bothered.
logging {
        category "lame-servers" {
                "null";
        };
};


> // The single dot (.) is the root of all DNS namespace, so
> // this zone tells named where to start looking for any
> // name on the Internet
> zone "." IN {
>   // a hint type means that we've got to look elsewhere
>   // for authoritative information
>   type hint;
>   file "named.root";
> };
> 
> // Where the localhost hostname is defined
> zone "localhost" IN {
>   // a master type means that this server needn't look
>   // anywhere else for information; the localhost buck
>   // stops here.
>   type master;
>   file "zone.localhost";
>   // don't allow dynamic DNS clients to update info
>   // about the localhost zone
>   allow-update { none; };
> };
> 
> // Where the 127.0.0.0 network is defined

More precisely, where the reverse DNS for 127.0.0.0/24, which belongs in
the 0.0.127.in-addr.arpa. zone is defined (note trailing .).

> zone "0.0.127.in-addr.arpa" IN {
>   type master;
>   file "revp.127.0.0";
>   allow-update { none; };
> };
> 
> 
> On the authoritative server, do I still need to include the root zone entry? 
> Seems to me that should belong only to the caching server.

You do not need a root zone entry on the authoritative server.
It will answer for the domains it is supposed to be authoritative for,
and return NXDOMAIN for everything else.

Devdas Bhagat

More information about the Techtalk mailing list