Hi, I have two questions about authoritative mode.
I have a home LAN, with a classic Bind / ISC DHCP / HPA TFTP setup (started long before dnsmasq ever existed). Recently I decided to rent a server to externalize some public services (web, mail and DNS servers). This server is a libvirt/KVM hypervisor and all virtual machines are connected through a purely virtual bridge, and dnsmasq handles the DNS/DHCP/TFTP part of this LAN (the private part only, no relation to the the public DNS mentioned above). So I'm quite new to dnsmasq and so far I'm quite impressed by the vast possibilities it allows with such a small footprint. Note that for practical reasons, I don't use libvirt's builtin iptables/dnsmasq configurations, I made my own. So, I interconnected both LANs through a VPN (OpenVPN) and all machines can happily communicate. Now I'm trying to ease the DNS administration part, and that's where I'm stuck on a couple of minor problems (really minor, since my setup works quite well, I'm just trying to perfect it a bit). What I'm trying to do is to allow my home LAN's DNS system (Bind) to know about the remote LAN's zone, and fetch the zone data from the remote LAN's dnsmasq (through AXFR). It was quite easy to define a slave type zone, in Bind, and then allow zone transfers in dnsmasq with two configuration lines: auth-sec-servers=<Bind server's IP> auth-peer=<Bind server's IP> Now, the problem is that I'd like the remote LAN to be completely unaware (DNS-wise, at least) of the home LAN's DNS system; in other words, I don't want the Bind server's IP to be listed as a secondary server in the remote LAN's zone data. So I tried to remove the "auth-sec-servers=..." line, but unfortunately this prevented the zone transfer to work. I know it works with Bind: I can define slave zones on some server, while the actual zone file on the master has no mention of any slave server (of course, it's still allowed in the server's configuration by an "allow-transfer" directive, though), making the slave server completely stealth. So this is my first question: is there a way to achieve this with dnsmasq ? If not, is this planned, or could it be considered for a future release ? My second question is more of a feature... inquiry (I was about to write "request" but that would be not only rude, but also not totally faithful to my state of mind). As stated in dnsmasq's manual page (version 2.76, Debian stretch): "at present, reverse (in-addr.arpa and ip6.arpa) zones are not available in zone transfers, so there is no point arranging secondary servers for reverse lookups". So my second question is quite simple: is it planned for a future release ? By searching the mailing list, I saw that a lot of features were considered by the developer(s ?) kind of "outside of scope for such a tiny tool" a decade ago, yet they were finally implemented and are nowadays supported (the power of popular demand, I guess). Since the code for managing AXFR requests is already there, would this feature be hard to implement ? (note that as much as I'd like to, I couldn't help with this, since I'm a pure admin, my development skills are limited to shell and, to some extent, Perl). Thanks a lot in advance for answering those two questions. Regards, -- Raphaël Halimi
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasqfirstname.lastname@example.org http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss