X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=blobdiff_plain;f=scripts%2Fnamed-conf.8;h=b1547fe93e2c440e5f7e011271243227009b3ef2;hp=feded3bde28d4f9c8a4bed2611d1db7e090f21b2;hb=2c444eebd71ff12a6c29ffaa91d2e716c8f9ca6e;hpb=e9ff70ef02494d7716aed0a63898e77ffcf73dbb diff --git a/scripts/named-conf.8 b/scripts/named-conf.8 index feded3b..b1547fe 100644 --- a/scripts/named-conf.8 +++ b/scripts/named-conf.8 @@ -119,6 +119,10 @@ directive specifies the same group, they are all affected. directives which don't specify a group cannot be affected. It is an error if the group does not appear in the config file. See ZONE STYLE MODIFIERS, below. +.PP +The special group +.B foreign +is used for zones which don't appear in the configuration file. .TP .BR \-q | \-\-quiet Suppress the usual report of the list of nameservers for each zone and @@ -344,7 +348,7 @@ zone maintainer. .B $ Indicates that any mails should be sent about the zone to the nameserver admin rather than to the zone SOA MNAME. This is the -default for stealth zones. +default unless we are supposedly a published server for the zone. .TP .B !@ Indicates that no mails should be sent about the zone to anyone. @@ -444,14 +448,13 @@ be necessary to create names for the child's nameservers which are underneath the child's apex, so that the glue records are both in the parent's bailiwick and obviously necessary. -Even worse, the horrid `shared registry system' managing .com, .net -and .org does not allow a single IPv4 address to be used for more than -one nameserver name! It does, however, give out glue for any -nameserver properly registered in the system. I therefore recommend -that you create a single name for your nameserver somewhere -in .com, .net or .org, and use that for all the delegations -from .com, .net and .org. At the time of writing (January 2002) this -seems to produce correct and glueful referrals. +In the past, the `shared registry system' managing .com, .net and .org +did not allow a single IPv4 address to be used for more than one +nameserver name. However, at the time of writing (October 2002) this +problem seems to have been fixed, and the workaround I previously +recommended (creating a single name for your nameserver somewhere +in .com, .net or .org, and using that for all the delegations +from .com, .net and .org) should now be avoided. Finally, a note about `reverse' zones, such as those in in-addr.arpa: It does not seem at all common practice to create nameservers in @@ -471,6 +474,22 @@ Dan Bernstein has some information and examples about this at http://cr.yp.to/djbdns/notes.html#gluelessness .UE but be warned that it is rather opinionated. +.SS GLUELESSNESS SUMMARY + +I recommend that every nameserver should have its own name in every +forward zone that it serves. For example: +.br +.B zone.example.com NS servus.ns.example.com +.br +.B servus.ns.example.com A 127.0.0.2 +.br +.B 2.0.0.127.in-addr.arpa PTR servus.example.net +.br +.B servus.example.net A 127.0.0.2 +.LP +Domain names in +.B in-addr.arpa +should not be used in the right hand side of NS records. .SH SECURITY chiark\-named\-conf is supposed to be resistant to malicious data in the DNS. It is not resistant to malicious data in its own options,