LISTSERV 16.0 - MICE-DISCUSS Archives

On Mar 7, 2013, at 10:01 AM, Richard Laager <[log in to unmask]> wrote:

> On Thu, 2013-03-07 at 11:18 -0600, David Farmer wrote:
>> It would be better for everyone connected to MICE 
>> to implement the recommendations of RFC 6761
> 
> If I'm reading that correctly, the requirements for a network operator
> boil down to:
> 
>        1. The following zones MUST be configured on our recursive and
>        authoritative DNS servers. They MUST either be empty of records
>        or contain records matching our uses of *routable* private
>        space.
>            10.in-addr.arpa.
>            16.172.in-addr.arpa.
>            17.172.in-addr.arpa.
>            18.172.in-addr.arpa.
>            19.172.in-addr.arpa.
>            20.172.in-addr.arpa.
>            21.172.in-addr.arpa.
>            22.172.in-addr.arpa.
>            23.172.in-addr.arpa.
>            24.172.in-addr.arpa.
>            25.172.in-addr.arpa.
>            26.172.in-addr.arpa.
>            27.172.in-addr.arpa.
>            28.172.in-addr.arpa.
>            29.172.in-addr.arpa.
>            30.172.in-addr.arpa.
>            31.172.in-addr.arpa.
>            168.192.in-addr.arpa.
> 
>        2. The "test." zone MUST be configured on our recursive and
>        authoritative DNS servers. It MUST be empty of records.
> 
>        3. The "localhost." zone MUST be configured on our recursive and
>        authoritative DNS servers. It MUST contain wildcard A and AAAA
>        records pointing to 127.0.0.1 and ::1, respectively.
> 

You are reading it incorrectly. The RFC specifies how your name server should behave by default without you configuring anything.

If you WANT to respond differently than the default stated in the document, you would have to configure your name server accordingly.

Admittedly, if your name servers do not implement RFC6761 by default, then you can mimic most of what it specifies by taking the actions you state above.

> I'm not sure it's possible to implement the "invalid." zone behavior
> without writing a patch. Suggestions are welcome.

Right… The RFC is aimed at name server developers more than name server operators.

> In my network, we have #1 implemented already. I believe it's setup by
> default in BIND, at least in Debian.

Yes, modern versions of bind ship with RFC6761 compliance.

Owen

> 
> -- 
> Richard
> 
> ########################################################################
> 
> To unsubscribe from the MICE-DISCUSS list, click the following link:
> http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1


########################################################################

To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1