CVS Commit: FAC dist/service/dnsother/usr/domain/etc by jhutz
Jeffrey Hutzelman
jhutz+ at minbar.fac.cs.cmu.edu
Tue May 19 14:12:50 EDT 2015
Update of /afs/cs.cmu.edu/project/fac-cvs/dist/service/dnsother/usr/domain/etc
In directory minbar.fac.cs.cmu.edu:/afs/cs.cmu.edu/project/fac-master/dist/service/dnsother/usr/domain/etc
Modified Files:
named.conf.proto
Log Message:
dnscs, dnsother: put local view before REC, CMU
The order of view declarations matters - a client request is handled in
earliest-declared matching view. To determine whether a view matches,
its match-clients address match list is scanned, in order, looking for a
matching entry. If that entry is positive, the client matches the view;
if negative, the client does not match the view. Later entries in that
view's match-clients list are not relevant (similar processing is also
done for match-destinations, but we don't use that).
Our policy is that requests signed with a view key are processed in the
corresponding view, and other requests are processed in an appropriate
view based on the client's address (requests signed with a DDNS key are
always processed in the master view). To achieve this under the mechanism
described above, each view's match-clients list begins first with that
view's key, then negative matches of the keys for all views appearing
later, and finally any entries matching client addresses.
For correct address-based matching, views with more-specific address lists
must appear before those with overlapping less-specific lists (but after
the master view, which appears first). This change moves the local-cs
and local-other views, which match 127.0.0.1, above the CMU view, which
matches all CMU clients including the loopback address. Without this
change, machines running authoritative server configurations would not
provide recusive service to themselves.
More information about the Fac-source-change-log
mailing list