Knowledge Base ISC Main Website Ask a Question/Contact ISC
Why are queries for some PTR records no longer forwarded since upgrading to BIND 9.9.0?
Author: ISC Support Reference Number: AA-00803 Views: 13159 Created: 2012-09-27 16:56 Last Updated: 2017-10-05 12:41 0 Rating/ Voters

This behaviour may be encountered due to the introduction of automatic empty zones for RFC 1918 prefixes if you are using IP addresses within the RFC 1918 private address space.

BIND provides a number of empty zones that are automatically configured and loaded (for each view) when named starts.  The purpose of these zones is to prevent recursive servers from sending meaningless queries to Internet servers that cannot handle them (thus creating delays and SERVFAIL responses to clients who query for them).  These empty zones ensure that immediate and authoritative NXDOMAIN responses are returned instead.

All empty zones that named loads automatically are logged as they are created and loaded when named starts up, or you can refer to the list in the Administrator Reference Manual (available in the BIND distributed source code and online at: https://www.isc.org/downloads/bind/doc/).

The configuration option empty-zones-enable controls whether or not empty zones are created, whilst the option disable-empty-zone can be used in addition to disable one or more empty zones from the list of default prefixes that would be used.

For a view that has recursion enabled, the default is "empty-zones-enable yes;".

For a view that has recursion disabled, the default is "empty-zones-enable no;".

For a longer and more detailed article on the implementation of automatic empty zones, see: Automatic empty zones (including RFC 1918 empty zones) (you will need to login to view this article, but registration is open to all).


© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback 2
  • #
    [palumbog]: This doc is relevant to a possible bug in BIND 9.9.x 2013-08-13 16:16

    I stumbled across this doc when trying to solve an interesting problem in BIND 9.9.2-P2 (which still exists in 9.9.3-P2). The issue is that if you define an arpa zone for an RFC 1918 address as a FORWARD type, BIND will ignore this and treat the zone as undefined in the named.conf and then process it's built in empty-zones code. The server will not send any packets to the defined forwarders for that zone, yet if you change the zone to any other (non-RFC-1918) IP address, it will forward the query as expected. Once I added "empty-zones-enable no;" to the config, I was then able to forward queries as expected. I will try to submit a bug report on this, but wanted to point out I was grateful to find this new configuration option.

    Best regards,
    Greg Palumbo

  • #
    [Cathy Almond]: Re: This doc is relevant to a possible bug in BIND 9.9.x 2013-08-15 20:34

    Hi Greg, thank you for your feedback. I'd like to encourage you to use "disable-empty-zone" rather than "empty-zones-enable no;" as it allows you just to disable the RFC1918 empty zones that you need to define internally.

    You also did correctly identify a bug (RT #34583). The existence of a configured zone within the range of the candidate RFC1918 empty zone should prevent it from being automatically created. This exclusion works for all zones except type forward. The workaround is to use option "disable-empty-zone". The problem will of course be fixed in a future release.

    Cathy Almond, ISC Support.

Quick Jump Menu