More on advisory question

[Barry Margolin]

   Date: Fri, 8 Oct 1999 16:40:14 -0400 (EDT)
   From: Dave Wreski <dave at nic.com>


   > >Why is the ACL 'trusted' not known?
   > 
   > How is BIND supposed to know what IP addresses you trust?  You have to
   > define it using an "acl" statement.  For example,

   I thought it was a reserved word.  There was no mention in that in the
   advisory.  I have used the allow-transfer statement, however.  Can you
   explain the difference?  Can the 'trusted' be used in the same manner,
   effectively?

allow-transfer controls who can do zone transfers (list the entire contents
of a zone), allow-query controls who can do ordinary queries.  They both
allow you to define named ACLs to specify groups of addresses.  The only
predefined ACLs are "any", "none", "localhost" (all the IP addresses of the
server itself), and "localnets" (subnets directly connected to any of the
server's interfaces).

   > >Actually, how do I prevent unauthorized queries?  I'd like to prevent
   > >someone from doing:
   > >
   > ># nslookup www.netscape.com ns.mydomain.com
   > 
   > How do you possibly think you can stop people on machines you have no
   > control over from typing that command?  All you can do is configure your
   > server so it won't answer them.

   Heh, I thought I'd strap 30k volts to everyone's keyboard when it was
   detected that they were typing that.. Ok, sorry for the sarcasm.  That is
   actually what I was getting at by my statement above.  What would give you
   the idea that I could expect to control what someone typed? ;)

That's what the allow-query option is for.  I assumed you understood this
and were looking for something even better.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA