allow-resursion stuff

Mark Andrews Mark_Andrews at isc.org
Thu Jun 8 22:38:53 UTC 2006 

> On Thu, 8 Jun 2006, Mark Andrews wrote:
> 
> > 
> > > On Thu, 8 Jun 2006, Mark Andrews wrote:
> > > 
> > > > 
> > > > > Hi All,
> > > > > 
> > > > > The allow-recursion { trusted; }; is very nice.
> > > > > However, isn't it true to when you haven't also got
> > > > > allow-query { trusted; }; there is still an issue with just
> > > > > allow-recursion? For example, suppose that somebody within the trusted ra
> > > nge
> > > > > did a query on yahoo.com, it'll be cached. Suppose that allow-query isn't
> > >  set
> > > > > and an external client does a query on yahoo.com he'll get a response bec
> > ause
> > > > > the answer is still in the cache? Meaning that external clients can query
> > > > > the specified domains which are defined in named.conf but also what is in
> > > > > cache? I guess this issue will be addressed in bind 9.4.0 with
> > > > > "allow-query-cache" ?
> > > > 
> > > > 	You can achieve the same effect in earlier versions.  You just have
> > > > 	allow-query { any; }; in every zone.
> > > 
> > > Ok, but I was trying to say that allow-recursion isn't enough to 
> > > restrict
> > > recursion when you haven't also got allow-query specified in versions 
> > > below 9.4.0, because of the 
> > > entries in cache that can still be viewed by external non trusted clients, 
> > > so recursion can still be done for entries present in cache. So i guess in 
> > > bind 9.4.0 allow-recursion + allow-query-cache can remedy this issue, 
> > > allthough i'd also specify allow-query in the options section as well, 
> > > cause then even without allow-query-cache there is no issue.
> > > Point is that i don't see this issue described somewhere and that i am 
> > > surprised over it and wondered why? Or maybe i am wrong in this 
> > > assertion?
> > > Bye,
> > > 
> > > Mipam.
> > 
> > 	They are different concepts.  Quite often you don't want to
> > 	let a cache recurse for anyone but you still want anyone to
> > 	be able to interigate the cache's state.
> 
> Why would i want everybody to be able to interigate my nameservers cache 
> state? Doesn't this may help others obtain info that they shouldn't get 
> from me?
> Bye,
> 
> Mipam.

	It helps is debugging problems.  The description of what the
	acls do is clear.

	Choosing the right acl to achieve the desired effects is the
	administrators responability.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list