On 18/04/2023 2:43 am, Greg Choules via bind-users wrote:
Why do you need it? Do you have some secondaries that are not listed
as NS in zones?
The goal was to have the primary use a particular TSIG key when it sends
out the NOTIFY messages to the secondaries, which is achieved by turning
off the default notifies ("notify explicit"), and specifying the keys in
an "also-notify" block.
Regarding views. Why would you have the same zone in an internal and
external view? A few years ago, having to maintain multiple zones of
the same name but different contents caused me problems daily. I would
recommend having internal zones be proper delegations from external
zones. e.g.:
external "example.com <http://example.com>"
internal "internal.example.com <http://internal.example.com>"
I agree that having your internal infrastructure in a sub-zone is a good
idea. But even if you do this there are valid reasons for having a
split-view of the parent zone. One reason is so that you can include
proper NS delegation records in the parent zone (e.g. in the internal
view only). (I don't remember all the details, but I seem to recall that
without these, if the parent zone is DNSSEC-signed and doesn't use the
OPT-OUT feature, then a DNSSEC-validating resolver (e.g. running "delv"
tool) would complain when querying names in the internal zone.)
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
