[oclug] named: "enforced delegation-only"
Raymond Wood
raywood at magma.ca
Sun Nov 7 19:11:58 EST 2004
On Sun, Nov 07, 2004 at 03:25:43PM -0500, Dave O'Neill imagined:
> On Sun, Nov 07, 2004 at 02:37:29PM -0500, Raymond Wood wrote:
> > Over the past few weeks I have begun to see the following type of
> > entry showing up in my logs:
> > -----------------------------------------------------------------
> > named[4854]: enforced delegation-only for 'com'
> > (ns6.iluvdns.com/A/IN) from 192.41.162.30#53
> > -----------------------------------------------------------------
> >
> > I am running the bind9 service currently, and I realize that this
> > log message is related to named. After googling a bit, however, I'm
> > still not clear on what the message really means, or what the
> > implications are for me.
>
> "delegation-only" is a BIND setting that allows you to declare that
> you don't want to get direct responses for a particular zone, only
> delegations to the authoritative server. It can be enabled on a
> per-zone basis, or as a blanket policy for all top-level domains.
Well I'm beginning to wonder if I should be running BIND at all, since I
obviously don't have a good understanding of the *details* of how it
works. Your explanation above (which I appreciate, don't get me wrong)
presupposes a level of familiarity with DNS that I simply don't have at
present.
> This is the feature that lets you avoid the wildcard responses that
> Verisign was returning from their root servers for every unregistered
> domain name.
I have some familiarity with this issue, and this sounds like a Good
Thing.
> Details can be found in the BIND9 Administrator Manual (see
> /usr/share/doc/bind9-doc on Debian) or on the ISC page at
> http://www.isc.org/products/BIND/delegation-only.html
I've looked at both these references, and it is to me just more
'DNS-speak' -- over my head unfortunately, since I don't have a context
from which to interpret these explanations.
In short, I still don't have a clear idea of why I am seeing these log
entries (e.g. what specifically originates them?), or whether they are
benign, or else something to be concerned about.
In any case, thanks for your reply. I'm happy to receive any further
insight into these log entries if anyone has the patience to spell it
out to someone who is DNS-challenged :-)
Have Fun with GNU/Linux,
Raymond
--
"Be Nice, or Leave - By Order of the Management"
(Sign above door, Black Sheep Inn, Wakefield)
GPG Fingerprint: 2E4D 8605 DD48 E80F F893 1C02 B65D 86D9 3B3C 0E03
Encrypted E-mail Preferred
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20041107/f3542a78/attachment.bin
More information about the OCLUG
mailing list