allow-resursion stuff
Mark Andrews
Mark_Andrews at isc.org
Thu Jun 8 02:20:46 UTC 2006
> On Thu, 8 Jun 2006, Mark Andrews wrote:
>
> >
> > > Hi All,
> > >
> > > The allow-recursion { trusted; }; is very nice.
> > > However, isn't it true to when you haven't also got
> > > allow-query { trusted; }; there is still an issue with just
> > > allow-recursion? For example, suppose that somebody within the trusted ra
> nge
> > > did a query on yahoo.com, it'll be cached. Suppose that allow-query isn't
> set
> > > and an external client does a query on yahoo.com he'll get a response bec
> ause
> > > the answer is still in the cache? Meaning that external clients can query
> > > the specified domains which are defined in named.conf but also what is in
> > > cache? I guess this issue will be addressed in bind 9.4.0 with
> > > "allow-query-cache" ?
> >
> > You can achieve the same effect in earlier versions. You just have
> > allow-query { any; }; in every zone.
>
> Ok, but I was trying to say that allow-recursion isn't enough to
> restrict
> recursion when you haven't also got allow-query specified in versions
> below 9.4.0, because of the
> entries in cache that can still be viewed by external non trusted clients,
> so recursion can still be done for entries present in cache. So i guess in
> bind 9.4.0 allow-recursion + allow-query-cache can remedy this issue,
> allthough i'd also specify allow-query in the options section as well,
> cause then even without allow-query-cache there is no issue.
> Point is that i don't see this issue described somewhere and that i am
> surprised over it and wondered why? Or maybe i am wrong in this
> assertion?
> Bye,
>
> Mipam.
They are different concepts. Quite often you don't want to
let a cache recurse for anyone but you still want anyone to
be able to interigate the cache's state.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list