Secure zones implement named security on a zone by zone basis. It is designed to use a permission list of networks or hosts which may obtain particular information from the zone.
In order to use zone security, named must be compiled with SECURE_ZONES defined and you must have at least one secure_zone TXT RR. Unless a secure_zone record exists for a given zone, no restrictions will be applied to the data in that zone. The format of the secure_zone TXT RR is:
secure_zone addr-class TXT string
The addr-class may be either HS or IN. The syntax for the TXT string is either ``network address:netmask'' or ``host IP address:H''.
``network address:netmask'' allows queries from an entire network. If the netmask is omitted, named will use the default netmask for the network address specified.
``host IP address:H'' allows queries from a host. The ``H'' after the ``:'' is required to differentiate the host address from a network address. Multiple secure_zone TXT RRs are allowed in the same zone file.
For example, you can set up a zone to only answer Hesiod requests from the masked class B network 126.96.36.199 and from host 188.8.131.52 by adding the following two TXT RR's:
secure_zone HS TXT ``184.108.40.206:255.255.0.0'' secure_zone HS TXT ``220.127.116.11:H''
This feature can be used to restrict access to a Hesiod password map or to separate internal and external internet address resolution on a firewall machine without needing to run a separate named for internal and external address resolution.
Note that you will need to include your loopback interface (127.0.0.1) in your secure_zone record, or your local clients won't be able to resolve names.