> There is no reason you can't make the BIND 4 box serve your authoritative
> domains, and forward anything it does not load/cache to a another DNS
> server.
> Had to grab the DNS an BIND 1st edition for this one but you should be able
> to do it with:
> forwarders 1.1.1.1 1.1.1.2 etc
> slave
>
> Slave is what BIND 4 used as forward only.


But if you are going to "forward only;" you can use TSIG
with 9.4.2 and secure your communication paths. You will
stop being a open recursive server by default. When BIND
9.4.3 is finalised you can upgrade to it or to BIND 9.5.2.

The -P1s (and the upcoming -P2s) are stopgap measures until
the betas stabilise. They work for most sites most of the
time however for large sites there will be more hand tuning
involved potentially retuning the kernel to return more
descriptors.

Named has gone from using a small number of descriptors to
using potentially very large numbers which will exceed the
system's ability to supply them. The problem is to work
out good strategies to deal with the problem. We are working
on how to deal with the issue without making the security
picture worse or degrading performance though it may come
down to making a choice.

Mark

> On Thu, Jul 31, 2008 at 12:57 PM, Jaroslaw Rafa wrote:
>
> > After three days of unsuccessful attempts to run BIND 9.5.0-P1 on a very
> > old
> > system, I gave up. Because this machine is about to be completely replaced
> > by a new one in several months, in the meantime I will use a forwarder.
> >
> > However, I have two questions:
> > 1) what should I do when my DNS server is not only a resolver for the
> > clients, but also a master server for several zones? Should I keep the
> > master zones on the server and forward anything else to the forwarder, or
> > move all the zones to the machine running forwarder and use a forward-only
> > configuration? I'd prefer the first solution if possible.
> > 2) anybody can help, how to configure this on BIND 4?
> > Regards,
> > Jaroslaw Rafa
> > raj@ap.krakow.pl
> > --
> > Zapraszam na moja nowa strone: http://www.ap.krakow.pl/~raj/<http://www.ap.krakow.pl

> /%7Eraj/>
> >
> >
> >

>
>
> --
> -Ben Croswell
>
>
>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org