allow-resursion stuff

Mipam mipam at ux11.ltcm.net
Thu Jun 8 20:16:55 UTC 2006 

On Thu, 8 Jun 2006, Mark Andrews wrote:

> 
> > On Thu, 8 Jun 2006, Mark Andrews wrote:
> > 
> > > 
> > > > Hi All,
> > > > 
> > > > The allow-recursion { trusted; }; is very nice.
> > > > However, isn't it true to when you haven't also got
> > > > allow-query { trusted; }; there is still an issue with just
> > > > allow-recursion? For example, suppose that somebody within the trusted ra
> > nge
> > > > did a query on yahoo.com, it'll be cached. Suppose that allow-query isn't
> >  set
> > > > and an external client does a query on yahoo.com he'll get a response bec
> > ause
> > > > the answer is still in the cache? Meaning that external clients can query
> > > > the specified domains which are defined in named.conf but also what is in
> > > > cache? I guess this issue will be addressed in bind 9.4.0 with
> > > > "allow-query-cache" ?
> > > 
> > > 	You can achieve the same effect in earlier versions.  You just have
> > > 	allow-query { any; }; in every zone.
> > 
> > Ok, but I was trying to say that allow-recursion isn't enough to 
> > restrict
> > recursion when you haven't also got allow-query specified in versions 
> > below 9.4.0, because of the 
> > entries in cache that can still be viewed by external non trusted clients, 
> > so recursion can still be done for entries present in cache. So i guess in 
> > bind 9.4.0 allow-recursion + allow-query-cache can remedy this issue, 
> > allthough i'd also specify allow-query in the options section as well, 
> > cause then even without allow-query-cache there is no issue.
> > Point is that i don't see this issue described somewhere and that i am 
> > surprised over it and wondered why? Or maybe i am wrong in this 
> > assertion?
> > Bye,
> > 
> > Mipam.
> 
> 	They are different concepts.  Quite often you don't want to
> 	let a cache recurse for anyone but you still want anyone to
> 	be able to interigate the cache's state.

Why would i want everybody to be able to interigate my nameservers cache 
state? Doesn't this may help others obtain info that they shouldn't get 
from me?
Bye,

Mipam.

More information about the bind-users mailing list