From pspacek@redhat.com Mon Jan 18 12:32:21 2016 X-Scanned-BY: MIMEDefang 2.68 on 10.5.11.23 MIME-Version: 1.0 In-Reply-To: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,T_RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 X-RT-Interface: API References: <568E4DD6.8080106@redhat.com> <569CC9B6.20707@redhat.com> <20160118121409.596794058CB4@rock.dv.isc.org> Message-ID: <569CDB4A.9010503@redhat.com> content-type: text/plain; charset="utf-8" Organization: Red Hat X-RT-Original-Encoding: utf-8 Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by bugs.isc.org (Postfix) with ESMTP id 03F0E71B5A8 for ; Mon, 18 Jan 2016 12:32:21 +0000 (UTC) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 4EFB63493BE for ; Mon, 18 Jan 2016 12:32:14 +0000 (UTC) Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 971FF7AE92 for ; Mon, 18 Jan 2016 12:32:14 +0000 (UTC) Received: from pspacek.brq.redhat.com (ovpn-204-62.brq.redhat.com [10.40.204.62]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0ICWAF3006993 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 18 Jan 2016 07:32:13 -0500 Delivered-To: bind-suggest@bugs.isc.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 Subject: Re: [ISC-Bugs #41441] auto-disable empty zones if forward 'first' is configured Return-Path: X-Original-To: bind-suggest@bugs.isc.org Date: Mon, 18 Jan 2016 13:32:10 +0100 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org X-Enigmail-Draft-Status: N1110 To: bind-suggest@isc.org Content-Transfer-Encoding: 7bit From: "Petr Spacek" RT-Message-ID: Content-Length: 2053 On 18.1.2016 13:14, Mark Andrews via RT wrote: > > In message , "Petr Spacek via RT" writes: >> On 18.1.2016 04:42, Mark Andrews via RT wrote: >>> This allows queries to reach the Internet when the forwarder is down. The >>> current behaviour is explicitly designed to prevent this. Yes, this requires >>> people to think about what they are trying to achieve. >>> >>> "forward first;" is optimisation "forward only;" is grafting of namespace / server >>> reachability. >> >> I see your point, Mark. What about a following approach? >> >> When an automatic empty zone is unloaded, it must be replaced with a new >> auto-generated "replacement" forward zone. The replacement forward zone will >> use IP addresses of the forwarders from the "conflicting"/"user-defined" >> forward zone and use policy = only. > > and if you do that you will get servfail rather than nxdomain when the > forwarders are down. Yes, that is correct. I believe that it is a good thing because there is no useful answer anyway. Of course, our user base is way smaller than yours, but it seems to me that users are more puzzled by unexpected NXDOMAIN than by SERVFAILs. Often I can see users claiming that NXDOMAIN is a caching issue and start to flush caches along the path, or even lowering max-cache-ttl, in a false hope that it would help (and never returning it back to original values, of course). Petr Spacek @ Red Hat >> This will prevent BIND from leaking queries to the public Internet even if the >> user-defined forward policy != only and the forwarder fails. >> >> At the same time, I believe that it would be less error-prone from user's >> perspective. >> >>> Note "forward" is almost always the wrong way to graft on namespace but somehow >>> this is what people do rather than slaving the top of the private namespace. >> >> I agree, but unfortunately I do not see a way around user's unwillingness to >> change bad habits. >> >> >> Thank you for considering this. >> >> -- >> Petr Spacek @ Red Hat