allow-resursion stuff
Mark Andrews
Mark_Andrews at isc.org
Thu Jun 8 22:38:53 UTC 2006
> On Thu, 8 Jun 2006, Mark Andrews wrote:
>
> >
> > > On Thu, 8 Jun 2006, Mark Andrews wrote:
> > >
> > > >
> > > > > Hi All,
> > > > >
> > > > > The allow-recursion { trusted; }; is very nice.
> > > > > However, isn't it true to when you haven't also got
> > > > > allow-query { trusted; }; there is still an issue with just
> > > > > allow-recursion? For example, suppose that somebody within the trusted ra
> > > nge
> > > > > did a query on yahoo.com, it'll be cached. Suppose that allow-query isn't
> > > set
> > > > > and an external client does a query on yahoo.com he'll get a response bec
> > ause
> > > > > the answer is still in the cache? Meaning that external clients can query
> > > > > the specified domains which are defined in named.conf but also what is in
> > > > > cache? I guess this issue will be addressed in bind 9.4.0 with
> > > > > "allow-query-cache" ?
> > > >
> > > > You can achieve the same effect in earlier versions. You just have
> > > > allow-query { any; }; in every zone.
> > >
> > > Ok, but I was trying to say that allow-recursion isn't enough to
> > > restrict
> > > recursion when you haven't also got allow-query specified in versions
> > > below 9.4.0, because of the
> > > entries in cache that can still be viewed by external non trusted clients,
> > > so recursion can still be done for entries present in cache. So i guess in
> > > bind 9.4.0 allow-recursion + allow-query-cache can remedy this issue,
> > > allthough i'd also specify allow-query in the options section as well,
> > > cause then even without allow-query-cache there is no issue.
> > > Point is that i don't see this issue described somewhere and that i am
> > > surprised over it and wondered why? Or maybe i am wrong in this
> > > assertion?
> > > Bye,
> > >
> > > Mipam.
> >
> > They are different concepts. Quite often you don't want to
> > let a cache recurse for anyone but you still want anyone to
> > be able to interigate the cache's state.
>
> Why would i want everybody to be able to interigate my nameservers cache
> state? Doesn't this may help others obtain info that they shouldn't get
> from me?
> Bye,
>
> Mipam.
It helps is debugging problems. The description of what the
acls do is clear.
Choosing the right acl to achieve the desired effects is the
administrators responability.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list