[bind9] allow transfer, nameserver-only?
Mark Andrews
Mark_Andrews at isc.org
Mon Jan 30 21:37:50 UTC 2006
> Danny Mayer (mayer at gis.net) wrote:
> > Helmut Schneider wrote:
> >> Barry Margolin (barmar at alum.mit.edu) wrote:
> >>> In article <drddrq$2l1p$1 at sf1.isc.org>,
> >>> "Helmut Schneider" <jumper99 at gmx.de> wrote:
> >>>
> >>>> is it possible to define that a zone transfer is only allowed for NS
> >>>> records of the according zone file?
> >>> I don't think BIND has such an option. Some other DNS implementations
> >>> use the NS records as their default "allow-transfer" access list.
> >>
> >> Yes, Windows DNS does and I hoped that bind has such an option, too.
> >>
> > You can restrict transfer of any zone to any list of addresses with the
> > allow-transfer option. It's up to you to specify what you want in there.
>
> I do have ACLs for that but if you maintain a list of zones where the
> secondaries are spread over a number of providers it is no fun to delegate
> zone transfer for each zone.
The majority of zones don't need to be secured against zone
transfer. It really does not protect you against much at
all.
If you do need to secure the zone then use something a lot
stronger than IP address. TSIG comes to mind.
Mark
> --
> Please do not feed my mailbox, Swen still does his job well
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list