use of allow-query-cache
Mark Andrews
Mark_Andrews at isc.org
Tue May 22 23:09:01 UTC 2007
> I just upgraded my nameservers to 9.4.1 and wondered if
> there is any reason I should change my current
> configuration. Is there some future change coming down
> the road that would prompt me to change it?
>
> Or is this just convenient to put it in the options statement
> rather than put the allow-query in every authoritative zone?
The main reason is convience.
Note: the default acls for allow-recursion/allow-query-cache
are no-longer "any;". This won't impact you as you explicitly
set the acl. It may impact others.
2006. [security] Allow-query-cache and allow-recursion now default
to the builtin acls "localnets" and "localhost".
This is being done to make caching servers less
attractive as reflective amplifying targets for
spoofed traffic. This still leave authoritative
servers exposed.
The best fix is for full BCP 38 deployment to
remove spoofed traffic.
> options {
> allow-query { acl; };
> allow-recursion { acl; };
> };
>
> zone "blah.com" {
> allow-query { any; };
> };
>
> to
>
>
> options {
> allow-query-cache { acl; };
> allow-recursion { acl; };
> allow-query { any; };
> };
>
>
> zone "blah.com" {
>
> };
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list