Re: What does 'match-destinations' match?

Walkenhorst, Benjamin wrote:

> I see that you can define a view not only by the clients that get
> to see it, but also by setting 'match-destinations', which takes an
> address match list.
> But what does it refer to?
> The address of the nameserver or the destination of the query?
> I've gone over the Bind9 Administrator's Reference Manual thoroughly,
> I've read IBM's documentation and I've been asking google exhaustively.
> I've found some examples where match-destinations was used, but I couldn't
> see what it was to match.
> I have the suspicion that this refers to the nameserver's address rather than
> the address of the host queried for - since the nameserver doesn't have a way of
> knowing beforehand what address the query will resolve to; if I'm right, I think this
> is useful in situations where a nameserver has more than one IP (like a public IP and
> another IP on a private network, which is also the situation of choice to use views).
> _Am_ I right?

Yes, that's correct. Thus you can have a single server that serves the
public view to the world (maybe domain.com, www.domain.com,
mail.domain.com, etc) and the private view to an internal network
(host1, host2, printer1, printer2, server1, etc).

I much prefer this approach to match-clients because an administrator
(or anybody else) on the internal network can easily verify how a public
query would resolve by overriding the default name server and giving the
public query interface. External queries to the inside interface are
simply blocked at a firewall like any other service.

Another potential scenario might be multiple businesses sharing office
space and a LAN. Each could have a separate interface alias on the name
server and would only see their own views by default but could see
others if they needed to.

- Brian