Has anyone recommended doing debugging via NSID instead of the CH class data?
On 8/27/15 12:55 PM, Bob McDonald wrote: > If I set this up as follow, it works. > > view bind chaos { > recursion no; > allow-query { 127.0.0.1; none; }; > zone authors.bind ch { type master; database "_builtin authors"; }; > zone hostname.bind ch { type master; database "_builtin hostname"; }; > zone version.bind ch { type master; database "_builtin version"; }; > zone id.server ch { type master; database "_builtin id"; }; > }; > > Queries from 127.0.0.1 are answered correctly, queries from anywhere > else are met with a REFUSED reply. > > However, the answers show as coming from view "bind" in the statistics. > There is also a view named "_bind" which seems to serve those same > zones. (named won't start if I try to name the view "_bind".) > > I can get answers from the zones in view "_bind" if I accept/reject via > the match-clients statement. If I also remove the zones from view > "bind", it returns a SERFAIL to queries for selected devices in that > view of class chaos. I think I understand this last one. > > Setting recursion off does not seem to affect the warning message > generated by omitting the root hints zone for class chaos. > > Bob > > > On Wed, Aug 26, 2015 at 5:50 AM, Bob McDonald <bmcdonal...@gmail.com > <mailto:bmcdonal...@gmail.com>> wrote: > > The warning is issued either way (with or without recursion > specified). But I see the logic in not needing it if recursion is > set to no. > > Thanks again, > > Bob > > On Wed, Aug 26, 2015 at 5:45 AM, Tony Finch <d...@dotat.at > <mailto:d...@dotat.at>> wrote: > > Bob McDonald <bmcdonal...@gmail.com > <mailto:bmcdonal...@gmail.com>> wrote: > > > > I'd still include the hint zone (as I'm partial to not having > unnecessary > > warnings on startup). > > The "recursion no" directive means you shouldn't have a hint > zone in that > view. (I don't know if it will complain about the inconsistency.) > > > Also a lot of folks use localhost and/or localnets in DNS > configuration. > > Just from a security standpoint, I prefer to be more specific. > localhost > > and/or localnets can be much more template friendly, I know. > > I just used them as placeholders since they are used in the > default ACLs :-) > > Tony. > -- > f.anthony.n.finch <d...@dotat.at <mailto:d...@dotat.at>> > http://dotat.at/ > Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. > Slight or > moderate, but rough in southwest Viking. Showers later. Good, > occasionally > poor later. > > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- When I do still catch the odd glimpse, it's peripheral; mere fragments of mad-doctor chrome, confining themselves to the corner of the eye.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users