Re: no. of Views and Zones
Pardon a n00b question, but wouldn't that be the case if you used a number of different IPV6 addresses? Bèrto On 31 October 2010 14:04, J. Thomsen l...@jth.net wrote: Alans, Have 2 questions, is there any limitation (beside hardware) on number of views? I mean creating a view/customer? And is there any limitation for number of zones/view? You cannot use views to group zones for customers. I have recently on this list proposed an extension to the view concept to be able to do this, but nobody has commented on this proposal. Views are primarily used for cases, when IP-adresses are different e.g. internal addresses versus external addresses depending on the client IP address looking up the zone data. - Jørgen Thomsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- == Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les droits du peuple, l'insurrection est, pour le peuple et pour chaque portion du peuple, le plus sacré des droits et le plus indispensable des devoirs. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
a doubt about dnssec
Hi all,
very n00by set of doubts following:
1) what's the point in using dnssec, if the secondary nameserver at my ISP
doesn't use it?
2) I see in some guides (for example,
http://ru.gentoo-wiki.com/wiki/%D0%9D%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B0_%D0%BF%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D0%BE%D0%B3%D0%BE_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80%D0%B0_(Postfix,_Dovecot,_DSpam,_SQLGrey,_DomainKeys,_SPF)#.D0.9D.D0.B0.D1.81.D1.82.D1.80.D0.BE.D0.B9.D0.BA.D0.B0_BIND_.2F_DNSSEC
)
that a
key xfer_key {
algorithm hmac-sha512;
secret SECRET-KEY;
};
is used. Now shouldn't this be useless in my situation? So I'd simply use
acl xfer {
/* This is the secondary DNS to which we will forward all queries */
x.x.x.x;
};
correct?
3) I'm serving idn domains (localized domains) is there any special setting
I should use?
Thanks
Bèrto
--
==
Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les
droits du peuple, l'insurrection est, pour le peuple et pour chaque portion
du peuple, le plus sacré des droits et le plus indispensable des devoirs.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: a doubt about dnssec
ignore the request, I already found out that this cannot be applied to an
external untrusted view...
On 10 October 2010 18:38, Bèrto ëd Sèra berto.d.s...@gmail.com wrote:
Hi all,
very n00by set of doubts following:
1) what's the point in using dnssec, if the secondary nameserver at my ISP
doesn't use it?
2) I see in some guides (for example,
http://ru.gentoo-wiki.com/wiki/%D0%9D%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B0_%D0%BF%D0%BE%D1%87%D1%82%D0%BE%D0%B2%D0%BE%D0%B3%D0%BE_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80%D0%B0_(Postfix,_Dovecot,_DSpam,_SQLGrey,_DomainKeys,_SPF)#.D0.9D.D0.B0.D1.81.D1.82.D1.80.D0.BE.D0.B9.D0.BA.D0.B0_BIND_.2F_DNSSEC
)
that a
key xfer_key {
algorithm hmac-sha512;
secret SECRET-KEY;
};
is used. Now shouldn't this be useless in my situation? So I'd simply use
acl xfer {
/* This is the secondary DNS to which we will forward all queries
*/
x.x.x.x;
};
correct?
3) I'm serving idn domains (localized domains) is there any special setting
I should use?
Thanks
Bèrto
--
==
Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole
les droits du peuple, l'insurrection est, pour le peuple et pour chaque
portion du peuple, le plus sacré des droits et le plus indispensable des
devoirs.
--
==
Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les
droits du peuple, l'insurrection est, pour le peuple et pour chaque portion
du peuple, le plus sacré des droits et le plus indispensable des devoirs.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: All zone blocks for public view should be listed here in internaltoo!
Hi!
Thanks for the answer :) Well, this is web-server, there is no such thing as
an internal user or network, let alone 127.0.0.1 (which is definitely in
internal only). Since the shipped configuration files is accepting queries
from:
acl trusted {
127.0.0.0/8;
::1/128;
};
I'd say is made for a single machine only, which is definitely not my case.
My internal currently is:
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone . in {
type hint;
file /var/bind/root.cache;
};
zone localhost IN {
type master;
file /var/bind/pri/localhost.zone;
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};
zone 127.in-addr.arpa IN {
type master;
file /var/bind/pri/127.zone;
allow-update { none; };
notify no;
allow-query { any; };
allow-transfer { none; };
};
I cannot think of much using it, apart from database listeners on 127.0.0.1
so allowing matches for trusted should be okay. There is nothing that
should call one domain from another. Interlinks in web pages are actually
client-side calls from the public network, so nothing comes from within.
My Public is
view public in {
/*
* Our external (untrusted) view. We permit any client to access
* portions of this view. We do not perform recursion or cache
* access for hosts using this view.
*/
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone . in {
type hint;
file /var/bind/root.cache;
};
zone example.org {
type master;
file /var/bind/pri/example.org.external;
allow-query { any; };
allow-transfer { xfer; };
};
etc etc
xfer goes to the secondary nameserver, so everything should be safe.
Thanks
Bèrto
On 23 September 2010 20:21, Lightner, Jeff jlight...@water.com wrote:
In views order is important. If you have internal before others (e.g.
external) then that is the default view.
What I **think** it is telling you is that if you have an internal view
that you restrict to certain networks that you need to insure you have all
the public zones in the external view and the internal view if you intend to
have your internal users see them. That is what we do here.
--
*From:* bind-users-bounces+jlightner=water@lists.isc.org [mailto:
bind-users-bounces+jlightner bind-users-bounces%2Bjlightner=water.com@
lists.isc.org] *On Behalf Of *Bèrto ëd Sèra
*Sent:* Thursday, September 23, 2010 1:14 PM
*To:* bind-users@lists.isc.org
*Subject:* All zone blocks for public view should be listed here in
internaltoo!
Hi!
I hope this is the right alley for my question. I run a public DNS for
several domains on a gentoo server. After upgrading to 9.7.1_p2 I read in
the shipped configuration that All zone blocks for public view should be
listed here in internal too!.
Now, what does it mean? Do I simply copy and paste the public zone entries
in the internal zone? And what's the point in doing it, is everyone needs it
anyway?
I hope you'll pardon my obvious lack of basic knowledge on the subject.
Bèrto
Proud partner. Susan G. Komen for the Cure.
*Please consider our environment before printing this e-mail or
attachments.*
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you
have received this electronic transmission in error, please reply
immediately to the sender that you have received the message in error, and
delete it. Thank you.
--
--
==
Constitution du 24 juin 1793 - Article 35. - Quand le gouvernement viole les
droits du peuple, l'insurrection est, pour le peuple et pour chaque portion
du peuple, le plus sacré des droits et le plus indispensable des devoirs.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: All zone blocks for public view should be listed here in internaltoo!
Hi! why do you use views then? I guess there's no need for it... Because I usually tend to modify a proposed configuration as little as possible, as long as it doesn't cause trouble. But it looks like this one is quite far from what a web-server needs. Bèrto ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
