[rbldnsd] The basics - help

[Michael Tokarev]

amos at treenetnz.com wrote:
[]
>> Seeting up a forward of each CIDR ip pool based on country.
>>
>> zone "AE.blocked.rbl" IN {
>> type forward;
>> forward first;
>> forwarders {
>> 127.0.0.1 port 530;
>> };
>> };

First of all this "forward first" is WRONG.  It directs BIND to query
the given nameserver (127.0.0.1:530 in this case) AND if that failed,
process normally starting from regular root nameservers.  This way,
if rbldnsd is, say, reloading and thus not answering promptly, you'll
get NXDOMAIN for existing entries.

Please follow this simple rule: For all your internal domains, don't
let queries out.

[]
> You may be able to reduce this bit of the configuration a lot by using:
> zone "blocked.rbl" IN {
>   type forward;
>   forward first;

ditto

>   forwarders {
>   127.0.0.1 port 530;
>   };
> };
> 
> rbldnsd will return NXDOMAIN for _anything_ outside its specified and
> correctly loaded zone content. This produces a possible answer to your
> other question about UK.

This is wrong.  rbldnsd will return REFUSED for any base zone not specified
on the command line.  Say, you loaded a.rbl and b.rbl, and query for c.rbl -
rbldnsd will correctly return REFUSED because it doesn't know anything about
it and can't perform recursive lookups.

But together with the above mistake ("forward first"), the whole thing WILL
work - it's a rare case where two minuses gives a plus as a result.  But it's
only visible plus - internally the query goes thru outside nameservers which
it shouldn't.

/mjt