A couple of generaal points about private names and addresses: If you have a private subdomain, e.g. private.cam.ac.uk, and a non-negligible number of users, the names *will* leak into the outside world and your public nameservers will get queries for them. You should make sure that your public nameservers return a definite nodata or NXDOMAIN reply for your private names, not REFUSED, nor a referral to an RFC 1918 address. The latter two will cause resolvers to retry, and the retries can become a large proportion of your total authoritative query traffic.
I have some vague unease about the interaction between the web security model and names that resolve to RFC 1918 addresses outside their home network. And some more specific unease about risks of ssh, if you are ever careless about accepting ssh unknown host warnings. So I guess if you are careful and you know what you are doing (and by implication, if you don't have many users) you can put RFC 1918 addresses in public zones, but I wouldn't recommend it. Assign yourself an IPv6 ULA prefix and use that instead :-) Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Plymouth, Biscay: Northwest veering north or northeast, 3 to 5. Moderate or rough. Occasional drizzle or showers later. Moderate or good, occasionally poor later. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
