[bind9] allow transfer, nameserver-only?
Barry Finkel
b19141 at britaine.ctd.anl.gov
Tue Jan 31 14:41:38 UTC 2006
"Helmut Schneider" <jumper99 at gmx.de> wrote:
>>> is it possible to define that a zone transfer is only allowed for NS
>>> records of the according zone file?
And Barry Margolin (barmar at alum.mit.edu) replied:
>> I don't think BIND has such an option. Some other DNS implementations
>> use the NS records as their default "allow-transfer" access list.
"Helmut Schneider" <jumper99 at gmx.de> replied:
> Yes, Windows DNS does and I hoped that bind has such an option, too.
>
> Thanks, Helmut
The MS implementation has one drawback/bad design. When a zone transfer
request is received from IP address, then the MS code checks
its DNS cache to see if it can resolve that IP address. If the address
resolves to a name that is in the zone's NS list, then the zone
transfer request is honored. If the address resolves to a name
that is not in the zone's NS list, the transfer is refused.
BUT, if the IP address is not in the DNS cache, then the zone transfer
is refused. One of the developers told me that the code will not
do a DNS query to get the nodename associated with the IP address
because that query has a chance of being hijacked by a rogue server
and the wrong information acquired. When I see this happen on my
MS W2k+3 DNS server, I just issue the command
dig <name of BIND slave> @<name of MS W2k DNS Server>
and the MS code will do DNS queries to find the IP address(es) of
the BIND slave and place those addresses in its cache.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list