allow-notify applies to slave zones only and defines a match list, for example, IP address(es) that are allowed to NOTIFY this server and implicitly update the zone in addition to those hosts defined in the masters option for the zone.

SOA serial: 1377691702 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 SOA time to live: 1800 Active zone: TRUE Allow query: any; Allow transfer: none; To create the reverse zone by its IP network, set the network information to the (forward-style) IP address, with the subnet mask bit count.

The bit count must be a multiple of eight for IPv4 addresses or a multiple of four for IPv6 addresses.

// fragment // key clause is shown only for illustration and would // normally be included in the file key "update-key" ; .... zone "example.com" in; zone "example.org" in; In the zone, the reference to the key clause "update-key" implies that the application that performs the update, say nsupdate, is using TSIG and must also have the same shared secret with the same key-name.

This statement may be used in a zone, view or an options clause.

While on its face this may seem an excessively friendly default, DNS data is essentially public (that's why its there) and the bad guys can get all of it anyway.

However if the thought of anyone being able to transfer your precious zone file is repugnant, or (and this is far more significant) you are concerned about possible Do S attack initiated by XFER requests, then use the following policy.which sets a general grant or deny rule over a very specific part of the DNS zone.The full statement covers the zone name and how clients are allowed to edit specific records and record types within the zone.[[email protected] ~]# ipa dnszone-show server.Zone name: server.Authoritative nameserver: dns.Administrator e-mail address: admin.SOA serial: 1377691702 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 Active zone: TRUE Allow query: any; Allow transfer: none;[[email protected] ~]$ kinit admin [[email protected] ~]$ ipa dnszone-mod server.--ttl=1800 Zone name: server.Authoritative nameserver: dns.Administrator e-mail address: admin.allow-update-forwarding defines a match list, for instance, IP address(es) that are allowed to submit dynamic updates to a 'slave' sever for onward transmission to a 'master'.