Bind 8.2.3 - Problem with allow-query in options and zone together

Michael Kjorling michael at kjorling.com
Tue Jul 31 17:36:43 UTC 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I personally would expect BIND to behave this way. The class IN
(Internet) is the default, but you could just as well spell it out
like so:

	zone "pirum.com" in { ...

I don't even think there is a class 'any', but I could be wrong on
that.

Anyway, why are you limiting _queries_ like this? It would make more
sense to limit only recursion:

	options {
		allow-recursion { localhost; };
	};

Then, you don't have to worry about side effects like this.


Michael Kjörling


On Jul 31 2001 09:15 -0700, Rupert Perry wrote:

>
> Hi,
>
> I have configured my BIND to not allow any queries at the global level
> (i.e. in options) and then to specifically allow anyone to query one
> of the zones that my DNS server provides.  According to the BIND
> documentation, this should mean that all queries are disallowed,
> except for queries relating to zones provided by my server.
>
> This is what a snippet of my config file looks like:
>
> options {
>         allow-query { none; };  // By default no queries are allowed
> };
>
> zone "pirum.com" {
>         type master;
>         file "/etc/bind/db.pirum";
>         allow-query { any; };
> };
>
> Using this set-up, I can perform a normal MX lookup for zone pirum.com
> without any problems (dig @ns.pirum.com pirum.com mx), but if I repeat
> the query with the class set to 'any' instead of default value of 'IN'
> (dig @ns.pirum.com pirum.com mx -c any), the query is refused by BIND
> .  If I don't set the allow-query global setting in options, the
> second query returns the same results as the first query, as expected.
>
> It seems to me that this is a bug in BIND, as the expected behaviour
> would be for the MX record detail to be returned for both queries, not
> just when the class is set to 'IN'.  Am I right in thinking this?
> Next question - How can I work around this problem without removing
> the allow-query { none; }; setting from options?
>
> Thanks,
>
> Rupert.

- -- 
Michael Kjörling - michael at kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)

^..^     Support the wolves in Norway -- go to     ^..^
 \/   http://home.no.net/ulvelist/protest_int.htm   \/

***** Please only send me emails which concern me *****

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7ZuyuKqN7/Ypw4z4RAgsiAKCxkceITh6CaKYWYwJiDWvoTeINrwCg7i3h
FvO6VK0z4mlkLg1ThGBVA7g=
=SJW2
-----END PGP SIGNATURE-----

More information about the bind-users mailing list