Authoritative Server - Referrals to root
Barry Margolin
barmar at alum.mit.edu
Thu Apr 7 22:35:25 UTC 2005
In article <d347bc$1jf7$1 at sf1.isc.org>, "Unlisted" <unlisted at gmail.com>
wrote:
> For security reasons we should not be serving authoritative data if the
> end user does not want it/approve of it. This above domain was one
> example - but it happens quite often on others. A customers dns will
> expire / be terminated / or whatever else and unless they are current
> customers we should not be serving anything for them. Serving
> authoritative data for a customers zone without their permission could
> lead to legal problems (sitefinder revisited).
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40329
>
> Im curious - why would BIND 9 return a NOERROR on a zone thats not in
> named.conf? I think the appropriate behaviour would be not to return
> the list of ROOT-SERVERS and return a SERVFAIL? Can we turn off
> referrals on unknown zones? Maybe just removing the root hints file
> does this?
I think the reason is that the server doesn't know that the zone is
delegated to it. If you query your server with Recursion Desired, it
will look up the delegation and notice that it's delegated to itself;
since it doesn't have the zone in its authoritative data, it will
realize there's a configuration error (either on the server or in the
delegation) and return SERVFAIL.
But when it receives a non-recursive query, it will never look up the
delegation, and not realize that there's any inconsistency between its
configuration and the delegation.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list