source address ignored in 9.3.1?
Gilles Massen
gm at dns.lu
Wed May 4 15:03:49 UTC 2005
Hello Mark,
>> There seems to be an issue with the query-source and/or transfer source
>> options in Bind 9.3.1: while I have an address defined for query, transfer,
>> listen and notify, the nameserver still tries to use it primary IP address
>> for some queries. These queries are SOA queries for domains where it acts
>> as slave, followed by (failed) attempts to open TCP connections from that
>> same IP address. So no slave zone is transferred. For resolving the
>> address 158.64.1.25 is used correctly.
>>
>
>1446. [func] Implemented undocumented alternate transfer sources
> from BIND 8. See use-alt-transfer-source,
> alt-transfer-source and alt-transfer-source-v6.
>
> SECURITY: use-alt-transfer-source is ENABLED unless
> you are using views. This may cause a security risk
> resulting in accidental disclosure of wrong zone
> content if the master supplying different source
> content based on IP address. If you are not certain
> ISC recommends setting use-alt-transfer-source no;
Thanks, this seems to work. But wouldn't it be a good idea if
use-alt-transfer-source is disabled by default, at least if no
alt-transfer-source is explicitely defined? The reason is that it would not
only maintain the behavior of 9.2 but also be closer to the expected
behavior: for my part I clearly expect the explicit definition of
"transfer-source" to override any implicit address detection of bind...
Best regards,
Gilles
More information about the bind-users
mailing list