Re: no. of Views and Zones
Pardon a n00b question, but wouldn't that be the case if you used a number of different IPV6 addresses? Bèrto On 31 October 2010 14:04, J. Thomsen l...@jth.net wrote: Alans, Have 2 questions, is there any limitation (beside hardware) on number of views? I mean creating a view/customer? And is there any limitation for number of zones/view? You cannot use views to group zones for customers. I have recently on this list proposed an extension to the view concept to be able to do this, but nobody has commented on this proposal. Views are primarily used for cases, when IP-adresses are different e.g. internal addresses versus external addresses depending on the client IP address looking up the zone data. - Jørgen Thomsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- == Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les droits du peuple, l'insurrection est, pour le peuple et pour chaque portion du peuple, le plus sacré des droits et le plus indispensable des devoirs. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
a doubt about dnssec
Hi all, very n00by set of doubts following: 1) what's the point in using dnssec, if the secondary nameserver at my ISP doesn't use it? 2) I see in some guides (for example, http://ru.gentoo-wiki.com/wiki/%D0%9D%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B0_%D0%BF%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D0%BE%D0%B3%D0%BE_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80%D0%B0_(Postfix,_Dovecot,_DSpam,_SQLGrey,_DomainKeys,_SPF)#.D0.9D.D0.B0.D1.81.D1.82.D1.80.D0.BE.D0.B9.D0.BA.D0.B0_BIND_.2F_DNSSEC ) that a key xfer_key { algorithm hmac-sha512; secret SECRET-KEY; }; is used. Now shouldn't this be useless in my situation? So I'd simply use acl xfer { /* This is the secondary DNS to which we will forward all queries */ x.x.x.x; }; correct? 3) I'm serving idn domains (localized domains) is there any special setting I should use? Thanks Bèrto -- == Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les droits du peuple, l'insurrection est, pour le peuple et pour chaque portion du peuple, le plus sacré des droits et le plus indispensable des devoirs. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: a doubt about dnssec
ignore the request, I already found out that this cannot be applied to an external untrusted view... On 10 October 2010 18:38, Bèrto ëd Sèra berto.d.s...@gmail.com wrote: Hi all, very n00by set of doubts following: 1) what's the point in using dnssec, if the secondary nameserver at my ISP doesn't use it? 2) I see in some guides (for example, http://ru.gentoo-wiki.com/wiki/%D0%9D%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B0_%D0%BF%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D0%BE%D0%B3%D0%BE_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80%D0%B0_(Postfix,_Dovecot,_DSpam,_SQLGrey,_DomainKeys,_SPF)#.D0.9D.D0.B0.D1.81.D1.82.D1.80.D0.BE.D0.B9.D0.BA.D0.B0_BIND_.2F_DNSSEC ) that a key xfer_key { algorithm hmac-sha512; secret SECRET-KEY; }; is used. Now shouldn't this be useless in my situation? So I'd simply use acl xfer { /* This is the secondary DNS to which we will forward all queries */ x.x.x.x; }; correct? 3) I'm serving idn domains (localized domains) is there any special setting I should use? Thanks Bèrto -- == Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les droits du peuple, l'insurrection est, pour le peuple et pour chaque portion du peuple, le plus sacré des droits et le plus indispensable des devoirs. -- == Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les droits du peuple, l'insurrection est, pour le peuple et pour chaque portion du peuple, le plus sacré des droits et le plus indispensable des devoirs. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: All zone blocks for public view should be listed here in internaltoo!
Hi! Thanks for the answer :) Well, this is web-server, there is no such thing as an internal user or network, let alone 127.0.0.1 (which is definitely in internal only). Since the shipped configuration files is accepting queries from: acl trusted { 127.0.0.0/8; ::1/128; }; I'd say is made for a single machine only, which is definitely not my case. My internal currently is: match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; zone . in { type hint; file /var/bind/root.cache; }; zone localhost IN { type master; file /var/bind/pri/localhost.zone; allow-update { none; }; notify no; allow-query { any; }; allow-transfer { none; }; }; zone 127.in-addr.arpa IN { type master; file /var/bind/pri/127.zone; allow-update { none; }; notify no; allow-query { any; }; allow-transfer { none; }; }; I cannot think of much using it, apart from database listeners on 127.0.0.1 so allowing matches for trusted should be okay. There is nothing that should call one domain from another. Interlinks in web pages are actually client-side calls from the public network, so nothing comes from within. My Public is view public in { /* * Our external (untrusted) view. We permit any client to access * portions of this view. We do not perform recursion or cache * access for hosts using this view. */ match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; zone . in { type hint; file /var/bind/root.cache; }; zone example.org { type master; file /var/bind/pri/example.org.external; allow-query { any; }; allow-transfer { xfer; }; }; etc etc xfer goes to the secondary nameserver, so everything should be safe. Thanks Bèrto On 23 September 2010 20:21, Lightner, Jeff jlight...@water.com wrote: In views order is important. If you have internal before others (e.g. external) then that is the default view. What I **think** it is telling you is that if you have an internal view that you restrict to certain networks that you need to insure you have all the public zones in the external view and the internal view if you intend to have your internal users see them. That is what we do here. -- *From:* bind-users-bounces+jlightner=water@lists.isc.org [mailto: bind-users-bounces+jlightner bind-users-bounces%2Bjlightner=water.com@ lists.isc.org] *On Behalf Of *Bèrto ëd Sèra *Sent:* Thursday, September 23, 2010 1:14 PM *To:* bind-users@lists.isc.org *Subject:* All zone blocks for public view should be listed here in internaltoo! Hi! I hope this is the right alley for my question. I run a public DNS for several domains on a gentoo server. After upgrading to 9.7.1_p2 I read in the shipped configuration that All zone blocks for public view should be listed here in internal too!. Now, what does it mean? Do I simply copy and paste the public zone entries in the internal zone? And what's the point in doing it, is everyone needs it anyway? I hope you'll pardon my obvious lack of basic knowledge on the subject. Bèrto Proud partner. Susan G. Komen for the Cure. *Please consider our environment before printing this e-mail or attachments.* -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- -- == Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les droits du peuple, l'insurrection est, pour le peuple et pour chaque portion du peuple, le plus sacré des droits et le plus indispensable des devoirs. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: All zone blocks for public view should be listed here in internaltoo!
Hi! why do you use views then? I guess there's no need for it... Because I usually tend to modify a proposed configuration as little as possible, as long as it doesn't cause trouble. But it looks like this one is quite far from what a web-server needs. Bèrto ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users