BIND 8.x, security, and delegations
Gregg TeHennepe
gat at jax.org
Mon Jun 14 20:07:07 UTC 1999
Cricket Liu wrote:
>
> Gregg TeHennepe <gat at jax.org> wrote in message
> news:<3761196D.BD6E2E7D at jax.org>...
> > My understanding is that a query on a hostname in the informatics.jax.org
> > domain should be asking my nameservers for the NS records for that
> > domain and the associated glue records, and then the hostname A record
> > query should be sent to one of the NSs for that domain, not my
> > nameserver.
>
> Actually, no. Remote name servers never specifically look up NS records
> during iterative name resolution (unless you send them queries for NS
> records). They look up what you tell them to, and your name server makes
> the decision to send back a referral to the informatics.jax.org name
> servers.
>
> Consequently, the name server's response is correct: They're asking for a
> name outside the jax.org zone (in the informatics.jax.org subzone), and thus
> covered by your global allow-query access list.
Hi Cricket,
Thanks for the reply, not to mention the presentation on security! Just to make
sure that I understand, you're saying that the remote server is correctly being
denied the A record by the security config and that fact is being logged,
however my server is at the same time supplying the referral to the delegated
domain's name servers (which is not being logged), and that eventually the
remote server gets the correct A record and the lookup succeeds.
I imagine if I turned on debugging I could confirm this, just in case the folks
in the delegated domain need proof positive.
Cheers - Gregg
Gregg TeHennepe | Unix Systems Administrator | The Jackson Laboratory
gat at jax.org | http://aretha.jax.org/~gat | Bar Harbor, Maine USA
More information about the bind-users
mailing list