Hi cjc. My answers would be: - Leave `dnssec-validation` alone (auto) and ensure your server has a path to the Internet to make queries.
- Don't mess with root hints. The only time anyone should need to do this is when running a completely captive server living in a custom namespace that is NOT the Internet. - I don't know if "none" and "!all" work out to be the same thing in code terms, but my preference would be "none" anyway because 1) that's what's in the documentation and would be the obvious choice, and 2) why deliberately create a negated expression that is harder to parse, mentally? Glancing through a config and seeing "...!all..." you may not notice the "!" and just see the "all". Even if you do see the pling, a statement containing it reads something like "I would like to permit not all", which requires some thinking about the intent. Whereas "I would like to permit none" (for me anyway) is clearer and less ambiguous. As for why authoritative servers need to make queries at all, please take a look at this article. https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries Hope that helps. Greg On Thu, 28 Mar 2024 at 06:15, Crist Clark <cjc+bind-us...@pumpky.net> wrote: > I am upgrading and redeploying some authoritative-only BIND servers. Two > questions about some fine points: > > What to set 'dnssec-validation'? Just let it default to 'auto?' There is > no need or opportunity for an authoritative-only server to validate > (right?). Should we actively switch it off, set it to 'no?' For example, > does setting it to 'no' reduce any resource use or reduce the security > vulnerability space? > > This is bordering on aesthetic (maybe the first one is too), but what to > do about the compiled-in root hints? Even on my authoritative-only server > with "recursion no," every forty-five minutes or so, it's trying to go to > the root servers and retrieve the NS and DNSKEY RRs for the root. It's > blocked since there is no reason for this server to do outbound DNS, except > to its hidden masters, so it just keeps trying and cluttering the firewall > logs. What's the best way to stop this behavior? Is there a configuration > option? I did this, > > zone "." { > type primary; > file "primary/empty-zone.db"; > allow-query { none; }; > }; > > Which seems to do the trick, but is that the cleanest way? Any problems > with that approach that I haven't considered? > > Oh, one final bonus question, is there any difference between specifying > 'none' and '!all' in a server list, ACL, etc.? I prefer 'none', but the old > configurations used '!all'. Can I change those without worrying? > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
