From marka@isc.org Mon Jan 18 12:14:18 2016 In-Reply-To: Your message of "Mon, 18 Jan 2016 11:17:16 -0000." X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, T_RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 X-RT-Interface: API References: <568E4DD6.8080106@redhat.com> <569CC9B6.20707@redhat.com> content-type: text/plain; charset="utf-8" Message-ID: <20160118121409.596794058CB4@rock.dv.isc.org> X-RT-Original-Encoding: utf-8 Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by bugs.isc.org (Postfix) with ESMTP id AE16571B5A8 for ; Mon, 18 Jan 2016 12:14:18 +0000 (UTC) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 20AEE1FCAB7 for ; Mon, 18 Jan 2016 12:14:16 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 562FE16003D for ; Mon, 18 Jan 2016 12:19:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 47534160078 for ; Mon, 18 Jan 2016 12:19:35 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id AwF8k1c8abRr for ; Mon, 18 Jan 2016 12:19:35 +0000 (UTC) Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id AAD1916003D for ; Mon, 18 Jan 2016 12:19:34 +0000 (UTC) Received: from rock.dv.isc.org (localhost [127.0.0.1]) by rock.dv.isc.org (Postfix) with ESMTP id 596794058CB4 for ; Mon, 18 Jan 2016 23:14:09 +1100 (EST) Delivered-To: bind-suggest@bugs.isc.org Subject: Re: [ISC-Bugs #41441] auto-disable empty zones if forward 'first' is configured Return-Path: X-Original-To: bind-suggest@bugs.isc.org Date: Mon, 18 Jan 2016 23:14:09 +1100 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org To: bind-suggest@isc.org From: "Mark Andrews" RT-Message-ID: Content-Length: 1699 In message , "Petr Spacek via RT" writes: > On 18.1.2016 04:42, Mark Andrews via RT wrote: > > This allows queries to reach the Internet when the forwarder is down. The > > current behaviour is explicitly designed to prevent this. Yes, this requires > > people to think about what they are trying to achieve. > > > > "forward first;" is optimisation "forward only;" is grafting of namespace / server > > reachability. > > I see your point, Mark. What about a following approach? > > When an automatic empty zone is unloaded, it must be replaced with a new > auto-generated "replacement" forward zone. The replacement forward zone will > use IP addresses of the forwarders from the "conflicting"/"user-defined" > forward zone and use policy = only. and if you do that you will get servfail rather than nxdomain when the forwarders are down. > This will prevent BIND from leaking queries to the public Internet even if the > user-defined forward policy != only and the forwarder fails. > > At the same time, I believe that it would be less error-prone from user's > perspective. > > > Note "forward" is almost always the wrong way to graft on namespace but somehow > > this is what people do rather than slaving the top of the private namespace. > > I agree, but unfortunately I do not see a way around user's unwillingness to > change bad habits. > > > Thank you for considering this. > > -- > Petr Spacek @ Red Hat > > > > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=41441 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org