>> > server 10.0.0.0/8 { bogus yes; };
>> > server 172.16.0.0/12 { bogus yes; };
>> > server 192.168.0.0/16 { bogus yes; };
PV> > I'm possibly confused. The scenario I was thinking of seems to involve two
PV> > nameservers on the same 10.x.x.x network that want to point to each other
PV> > (for zones that aren't visible off the local network), but don't want to
PV> > accept 10.x.x.x addresses from anyone outside the network.
PV>
PV> i don't know if it's contrived. i do know that i'm comfortable with the
idea
PV> that this configuration Would Not Work By Default. if someone wants to use
PV> private address space for DNS work, they should have to run an extra knob.
I don't agree with you in this case. If the server line noted above are
the default (which I support), I think there should also be an exception
for the listening IP subnet(s)/localnets. eg.
server localnets { bogus no; };
Of course, there is also a difference between packets received from
outside the local net and inside. A local ip from a local server is
fine; the same address from an external server is suspect.
--
Robert Story
SPARTA
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dnsop
