BIND 8.x, security, and delegations

Fri Jun 11 14:13:01 UTC 1999

Hi all,

I'm trying to setup security under BIND 8.x, and am having trouble with rejected
queries for hosts in a delegated domain.

I'm running BIND 8.2 on the primary and 8.1.2 on the secondary for my domain
(jax.org), and have been following Cricket's nice presentation on securing
servers. Note that we delegate a subdomain (informatics.jax.org) within our
network, and that we provide neither primary nor secondary support for that
domain. I created an ACL for my local networks, and setup a default of
allow-query internal, then configured the zones for allow-query all. I
immediately began seeing rejected queries from around the net for third party
hosts, which was no surprise ;-/, however I started getting rejected queries for
a hostname within the delegated domain. My zone file for jax.org contains:

@               IN      SOA     aretha.jax.org. postmaster.aretha.jax.org. 
				[...]
                IN      NS      aretha.jax.org.
                IN      NS      billie.jax.org.
                IN      NS      nic.near.net.

informatics     3600    IN      NS      hobbes.informatics.jax.org.
                3600    IN      NS      uncompaghre.informatics.jax.org.

hobbes.informatics.jax.org.       3600   IN      A       192.233.41.22
uncompaghre.informatics.jax.org.  3600   IN      A       192.233.41.33

The named.conf entry for the zone is:

zone "jax.org" {
        type master;
        file "jax.org.hosts";
        allow-query { any; };
};

The rejects look straight-forward:

Jun 11 09:43:41 aretha named[602]: unapproved query from [128.205.1.2].32772 for
"www.informatics.jax.org"

My understanding is that a query on a hostname in the informatics.jax.org domain
should be asking my nameservers for the NS records for that domain and the
associated glue records, and then the hostname A record query should be sent to
one of the NSs for that domain, not my nameserver.

Are these rejections legitimate, ie the remote resolver sending the query is
doing the wrong thing and has every reason to be rejected, or is there something
wrong with our delegation or the security configuration? 

One thought I had was that as recursion is on by default, my nameserver is going
ahead and attempting the A record lookup outside the zone instead of passing
back the referral NS records. However the config file docs seem to indicate that
the recursion setting is server-wide, not zone specific, and since this server
is also a primary resolver for clients in my domain, that would turn off
recursion for them as well, which I don't think I want to do.  Do I need to
separate my servers for the domain from my resolvers for the domain's clients?
Can I specify recursion on a zone-by-zone basis?

Thanks much in advance for any assistance... Cheers  - Gregg

-- 
Gregg TeHennepe  | Unix Systems Administrator  | The Jackson Laboratory
gat at jax.org      | http://a.jax.org/~gat       | Bar Harbor, Maine  USA