From pspacek@redhat.com Mon Jan 18 11:17:15 2016 X-Scanned-BY: MIMEDefang 2.68 on 10.5.11.22 MIME-Version: 1.0 In-Reply-To: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,T_RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 X-RT-Interface: API References: <568E4DD6.8080106@redhat.com> Message-ID: <569CC9B6.20707@redhat.com> content-type: text/plain; charset="utf-8" Organization: Red Hat X-RT-Original-Encoding: utf-8 Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by bugs.isc.org (Postfix) with ESMTP id 0888771B5A8 for ; Mon, 18 Jan 2016 11:17:15 +0000 (UTC) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id AA8273493BA for ; Mon, 18 Jan 2016 11:17:13 +0000 (UTC) Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id B4EB7806 for ; Mon, 18 Jan 2016 11:17:12 +0000 (UTC) Received: from pspacek.brq.redhat.com (ovpn-204-62.brq.redhat.com [10.40.204.62]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0IBHAo0017685 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 18 Jan 2016 06:17:12 -0500 Delivered-To: bind-suggest@bugs.isc.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 Subject: Re: [ISC-Bugs #41441] auto-disable empty zones if forward 'first' is configured Return-Path: X-Original-To: bind-suggest@bugs.isc.org Date: Mon, 18 Jan 2016 12:17:10 +0100 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org To: bind-suggest@isc.org Content-Transfer-Encoding: 7bit From: "Petr Spacek" RT-Message-ID: Content-Length: 1235 On 18.1.2016 04:42, Mark Andrews via RT wrote: > This allows queries to reach the Internet when the forwarder is down. The > current behaviour is explicitly designed to prevent this. Yes, this requires > people to think about what they are trying to achieve. > > "forward first;" is optimisation "forward only;" is grafting of namespace / server > reachability. I see your point, Mark. What about a following approach? When an automatic empty zone is unloaded, it must be replaced with a new auto-generated "replacement" forward zone. The replacement forward zone will use IP addresses of the forwarders from the "conflicting"/"user-defined" forward zone and use policy = only. This will prevent BIND from leaking queries to the public Internet even if the user-defined forward policy != only and the forwarder fails. At the same time, I believe that it would be less error-prone from user's perspective. > Note "forward" is almost always the wrong way to graft on namespace but somehow > this is what people do rather than slaving the top of the private namespace. I agree, but unfortunately I do not see a way around user's unwillingness to change bad habits. Thank you for considering this. -- Petr Spacek @ Red Hat