Bind 8.2.3 - Problem with allow-query in options and zone together
Michael Kjorling
michael at kjorling.com
Tue Jul 31 17:36:43 UTC 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I personally would expect BIND to behave this way. The class IN
(Internet) is the default, but you could just as well spell it out
like so:
zone "pirum.com" in { ...
I don't even think there is a class 'any', but I could be wrong on
that.
Anyway, why are you limiting _queries_ like this? It would make more
sense to limit only recursion:
options {
allow-recursion { localhost; };
};
Then, you don't have to worry about side effects like this.
Michael Kjörling
On Jul 31 2001 09:15 -0700, Rupert Perry wrote:
>
> Hi,
>
> I have configured my BIND to not allow any queries at the global level
> (i.e. in options) and then to specifically allow anyone to query one
> of the zones that my DNS server provides. According to the BIND
> documentation, this should mean that all queries are disallowed,
> except for queries relating to zones provided by my server.
>
> This is what a snippet of my config file looks like:
>
> options {
> allow-query { none; }; // By default no queries are allowed
> };
>
> zone "pirum.com" {
> type master;
> file "/etc/bind/db.pirum";
> allow-query { any; };
> };
>
> Using this set-up, I can perform a normal MX lookup for zone pirum.com
> without any problems (dig @ns.pirum.com pirum.com mx), but if I repeat
> the query with the class set to 'any' instead of default value of 'IN'
> (dig @ns.pirum.com pirum.com mx -c any), the query is refused by BIND
> . If I don't set the allow-query global setting in options, the
> second query returns the same results as the first query, as expected.
>
> It seems to me that this is a bug in BIND, as the expected behaviour
> would be for the MX record detail to be returned for both queries, not
> just when the class is set to 'IN'. Am I right in thinking this?
> Next question - How can I work around this problem without removing
> the allow-query { none; }; setting from options?
>
> Thanks,
>
> Rupert.
- --
Michael Kjörling - michael at kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)
^..^ Support the wolves in Norway -- go to ^..^
\/ http://home.no.net/ulvelist/protest_int.htm \/
***** Please only send me emails which concern me *****
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7ZuyuKqN7/Ypw4z4RAgsiAKCxkceITh6CaKYWYwJiDWvoTeINrwCg7i3h
FvO6VK0z4mlkLg1ThGBVA7g=
=SJW2
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list