DNS Security
wwebb at adni.net
wwebb at adni.net
Mon Dec 27 22:19:17 UTC 1999
> Your question is ambiguously worded. Are you concerned about slave
> zones in general that have (or don't have) ACLs or are you asking
> about slave servers for a zone where its master server has an ACL?
Excuse my lack of clarity. I will endeavour to persevere in
clarifying my issues. I'm interested in maximizing security against
spoofing attacks. Options are set to allow-recursion for specific
internal servers only and fetch-glue is set to "no." This being the
case, there are several points to which I'm not totally clear:
1. What, if any, security advantage is obtained by not setting allow-
query { any; } in a particular master or slave zone ?
2. If allow-recursion is set for specific internal servers only, what
disadvantage is there to not including in a master zone statement
the allow-query { any; } ?? I understand, for example, if a third
level domain had been delegated to other name servers, then a
recursive inquiry for record information within that delegated zone
would only result in a reply sending them to the name servers
serving the delegated zone. But aside from such a limited
circumstance, why else would you want recursion turned back on
for a particular zone ?
Bill Webb
More information about the bind-users
mailing list