allow-transfer {none;} doesn't seem to work.

[/dev/rob0]

Barry Margolin wrote:
>>>I have an option as allow-transfer { none;}; to
>>>disable any host to request a zone transfer but when I
>>>do a nslookup I can still do zone trasfer. Is there a
>>>bug or I don't understand it correctly?
>>
>>1. Don't use nslookup.
> 
> Although nslookup is not the recommended troubleshooting tool, it *does*
> use zone transfer to implement its "ls" command.  So why do you think
> using dig instead of nslookup would shed some light on this.  Dig is

I didn't know this, but it did occur to me that the dig axfr might succeed.

> better when things fail, since it gives clearer errors, but when things 
> are successful I don't think it makes as much difference which utility 

Perhaps not. But this remains:

>>2. You don't understand something.

The OP is mistaken; allow-transfer { none; }; does work, in fact. If the 
configuration we were shown was actually in effect on that server, zone 
transfers for "match-clients { any; };" would be denied.

Something else, that we were not told, is wrong. Was named restarted 
after the configuration change? Is named running in chroot? Is some 
other server listening and replying on that IP?
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header