Allowed transfers?

[Kevin Darcy]

google at gushi.org wrote:

> Hi, this may be a routine question.
>
> But is there any way to simply allow transfers for a zone to any NS
> record you've defined?  I know that "all defined ns servers" is the
> default for notification, and those should naturally be allowed to
> transfer from you, at least by my logic.

That doesn't necessarily follow. Slaves are sometimes daisy-chained off
of other slaves. Sometimes this is necessary because of
connectivity/security restrictions, or simply to offload some
zone-transfer traffic from the primary master server. So, just because a
server is in the NS records, it doesn't necessarily follow that it
should be allowed to transfer zones directly from the primary master.

> I mean, I've had to set the "allow-transfer" field to get my DNS to
> play nice at all, but I'd like to be able to do it such that for zone
> A, if I had
>
> @ IN  NS  A.bob.com
>
> it would allow transfer for that domain, without me having to put
> allow-transfer for a.bob.com's ip in my named.conf.
>
> I guess what I'm having to avoid is in the event of a change of
> servers, having to go through everywhere and change ip addresses.

I know of no simple way to do it.

Why do you restrict zone transfers at all? Do you believe in Security
Through Obscurity? Frankly, I think restricting zone transfers is more
trouble than it's worth.

But, if you're intent on restricting zone transfers, why not set up TSIG
and restrict zone transfers by TSIG key instead of by IP address? That
will give you more *real* security (since IP addresses can be spoofed),
and it means you wouldn't have to update IP addresses all of the time.
Of course, now you have a key management issue instead...


- Kevin