query cache and BIND 9.4.1-P1
Mark Andrews
Mark_Andrews at isc.org
Wed Aug 8 22:56:04 UTC 2007
If you have not sepecified allow-query or allow-query-cache
or allow-recursion the default acls are.
allow-query { any; }; // zones inherit this.
allow-recursion { localnets; localhost; };
allow-query-cache { localnets; localhost; };
Mark
--- 9.4.2b1 released ---
2206. [security] "allow-query-cache" and "allow-recursion" now
cross inherit from each other.
If allow-query-cache is not set in named.conf then
allow-recursion is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
If allow-recursion is not set in named.conf then
allow-query-cache is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
[RT #16987]
2202. [security] The default acls for allow-query-cache and
allow-recursion were not being applied. [RT #16960]
--- 9.4.0 released ---
2006. [security] Allow-query-cache and allow-recursion now default
to the builtin acls "localnets" and "localhost".
This is being done to make caching servers less
attractive as reflective amplifying targets for
spoofed traffic. This still leave authoritative
servers exposed.
The best fix is for full BCP 38 deployment to
remove spoofed traffic.
1676. [func] New option "allow-query-cache". This lets
allow-query be used to specify the default zone
access level rather than having to have every
zone override the global value. allow-query-cache
can be set at both the options and view levels.
If allow-query-cache is not set allow-query applies.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list