[rbldnsd] The basics - help

[Steve E. Mosher]

Folks,

This will be changed ASAP.

--Mosher

-----Original Message-----
From: rbldnsd-bounces at corpit.ru [mailto:rbldnsd-bounces at corpit.ru] On
Behalf Of Michael Tokarev
Sent: Wednesday, February 14, 2007 1:52 PM
To: rbldnsd at corpit.ru
Subject: Re: [rbldnsd] The basics - help

amos at treenetnz.com wrote:
[]
>> Seeting up a forward of each CIDR ip pool based on country.
>>
>> zone "AE.blocked.rbl" IN {
>> type forward;
>> forward first;
>> forwarders {
>> 127.0.0.1 port 530;
>> };
>> };

First of all this "forward first" is WRONG.  It directs BIND to query
the given nameserver (127.0.0.1:530 in this case) AND if that failed,
process normally starting from regular root nameservers.  This way,
if rbldnsd is, say, reloading and thus not answering promptly, you'll
get NXDOMAIN for existing entries.

Please follow this simple rule: For all your internal domains, don't
let queries out.

[]
> You may be able to reduce this bit of the configuration a lot by
using:
> zone "blocked.rbl" IN {
>   type forward;
>   forward first;

ditto

>   forwarders {
>   127.0.0.1 port 530;
>   };
> };
> 
> rbldnsd will return NXDOMAIN for _anything_ outside its specified and
> correctly loaded zone content. This produces a possible answer to your
> other question about UK.

This is wrong.  rbldnsd will return REFUSED for any base zone not
specified
on the command line.  Say, you loaded a.rbl and b.rbl, and query for
c.rbl -
rbldnsd will correctly return REFUSED because it doesn't know anything
about
it and can't perform recursive lookups.

But together with the above mistake ("forward first"), the whole thing
WILL
work - it's a rare case where two minuses gives a plus as a result.  But
it's
only visible plus - internally the query goes thru outside nameservers
which
it shouldn't.

/mjt

_______________________________________________
rbldnsd mailing list
rbldnsd at corpit.ru
http://www.corpit.ru/mailman/listinfo/rbldnsd