In message , "Petr Spacek via RT" writes: > On 18.1.2016 04:42, Mark Andrews via RT wrote: > > This allows queries to reach the Internet when the forwarder is down. The > > current behaviour is explicitly designed to prevent this. Yes, this requires > > people to think about what they are trying to achieve. > > > > "forward first;" is optimisation "forward only;" is grafting of namespace / server > > reachability. > > I see your point, Mark. What about a following approach? > > When an automatic empty zone is unloaded, it must be replaced with a new > auto-generated "replacement" forward zone. The replacement forward zone will > use IP addresses of the forwarders from the "conflicting"/"user-defined" > forward zone and use policy = only. and if you do that you will get servfail rather than nxdomain when the forwarders are down. > This will prevent BIND from leaking queries to the public Internet even if the > user-defined forward policy != only and the forwarder fails. > > At the same time, I believe that it would be less error-prone from user's > perspective. > > > Note "forward" is almost always the wrong way to graft on namespace but somehow > > this is what people do rather than slaving the top of the private namespace. > > I agree, but unfortunately I do not see a way around user's unwillingness to > change bad habits. > > > Thank you for considering this. > > -- > Petr Spacek @ Red Hat > > > > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=41441 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org