Date: Wed, 3 Sep 2008 15:50:31 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-current@FreeBSD.ORG, Alex Goncharov <alex-goncharov@comcast.net> Subject: Re: named mystery -- error: dumping master file: ??master/tmp-wTjhUzoix6 Message-ID: <200809031350.m83DoVw6021573@lurza.secnetix.de> In-Reply-To: <E1KaDNd-0005he-UV@daland.home>
next in thread | previous in thread | raw e-mail | index | archive | help
Alex Goncharov wrote: > In most environments I've been, including my home environment, the > idea that static and DHCP addresses have to be in different zones, > and/or be served by various DNS servers, would not be met > enthusiastically and probably would not fly at all. At home, I have > some static addresses and the rest is DHCP-assigned -- all in one > zone. Having two zones to accommodate a couple of static addresses > for the servers doesn't sound like a good idea to me. Of course you can have both dynamic and static entries within the same zone. But the question is: Is that zone only visible to your internal network, or is it public? If it's only internal, then the BIND jail serving that zone should be bound to an internal IP address, so an attacker from outside cannot break into the BIND jail. It is usually not a good idea to put dynamic entries of internal hosts into a zone that is served to the public internet. So it is not only an issue of static vs. dynamic, but also internal vs. public. Ideally your internal and public DNS would run on different machines, but that's probably overkill for a home network (I assume you don't have a DMZ network at home). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "We will perhaps eventually be writing only small modules which are identi- fied by name as they are used to build larger ones, so that devices like indentation, rather than delimiters, might become feasible for expressing local structure in the source language." -- Donald E. Knuth, 1974
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809031350.m83DoVw6021573>