On 14/5/2021 3:50 μ.μ., Kevin P. Fleming wrote:
I agree with this sentiment; my publicly-visible zones contain records with both private addresses and with non-reachable public addresses (IPv6 GUAs), and I'm fine with that. If someone can learn the address of one of those systems, that doesn't cause any harm.
Hmm, probably you mean IPv6 Link-local addresses (rather than GUAs); GUAs are reachable indeed.
However, the whole point of the discussion is exactly how to avoid publishing non-reachable (private and link-local) addresses to the Internet, and it seems to me that what you suggest is in fact the opposite of what Brian suggested.
Yet, it is important to know that by publishing to the Internet records with private and/or link-local addresses is not considered bad practice! Is there any documentation (RFC or good practice guidelines) on this subject?
I fully understand and accept Brian's point on running a separate internal authoritative server, but if I could do the job by using a single authoritative server while keeping a subzone private, that would save me valuable administrative cost and would make my admin life easier, especially when taking into account that we are a relatively small organization with relatively few RRs.
So, if someone (Frank?) can hint on how to block AXFRs/requests for a delegated subzone (nevertheless hosted on the same authoritative server), that would accomplish what we require while keeping admin effort low.
Thanks everyone for your feedback! I still hope that there is a solution with our current setup (slightly reconfigured).
Nick _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
