allow-resursion stuff
Mipam
mipam at ux11.ltcm.net
Wed Jun 7 23:10:08 UTC 2006
On Thu, 8 Jun 2006, Mark Andrews wrote:
>
> > Hi All,
> >
> > The allow-recursion { trusted; }; is very nice.
> > However, isn't it true to when you haven't also got
> > allow-query { trusted; }; there is still an issue with just
> > allow-recursion? For example, suppose that somebody within the trusted range
> > did a query on yahoo.com, it'll be cached. Suppose that allow-query isn't set
> > and an external client does a query on yahoo.com he'll get a response because
> > the answer is still in the cache? Meaning that external clients can query
> > the specified domains which are defined in named.conf but also what is in
> > cache? I guess this issue will be addressed in bind 9.4.0 with
> > "allow-query-cache" ?
>
> You can achieve the same effect in earlier versions. You just have
> allow-query { any; }; in every zone.
Ok, but I was trying to say that allow-recursion isn't enough to
restrict
recursion when you haven't also got allow-query specified in versions
below 9.4.0, because of the
entries in cache that can still be viewed by external non trusted clients,
so recursion can still be done for entries present in cache. So i guess in
bind 9.4.0 allow-recursion + allow-query-cache can remedy this issue,
allthough i'd also specify allow-query in the options section as well,
cause then even without allow-query-cache there is no issue.
Point is that i don't see this issue described somewhere and that i am
surprised over it and wondered why? Or maybe i am wrong in this
assertion?
Bye,
Mipam.
More information about the bind-users
mailing list