Transfer Source question.
Mark Andrews
Mark_Andrews at isc.org
Wed Feb 6 23:55:33 UTC 2008
1446. [func] Implemented undocumented alternate transfer sources
from BIND 8. See use-alt-transfer-source,
alt-transfer-source and alt-transfer-source-v6.
SECURITY: use-alt-transfer-source is ENABLED unless
you are using views. This may cause a security risk
resulting in accidental disclosure of wrong zone
content if the master supplying different source
content based on IP address. If you are not certain
ISC recommends setting use-alt-transfer-source no;
> I have several nameserver load-balanced. Each has a front end IP, a
> LB'd IP, and a 3rd ip for zone-transfers.
>
> == named.conf ==
> transfer-source 207.99.0.7;
>
> When a zone transfer initiates from 207.99.0.7 and a connection cannot
> be established, it tries again with the servers main ip. This is
> obviously a problem because my servers are all over the place in
> physical land and I'd rather tell my customers to allow 207.99.0/24 then
> a list of random ip's I may someday use.
>
> I read the docs and while it suggests other IP's can be used when the
> transfer-source fails, it suggests they will only be used when you set
> alt-transfer-source. However other google searches comment that
> use-alt-transfer-source is defaulted to on, so I can only speculate with
> that defaulted on and no ip set it will use the main Ethernet ip.
>
> I have set use-alt-transfer-source to no and will check the logs in a
> few days.
>
> Is this a feature? A spot for more documentation? A bug?
>
> Or am I missing something?
>
>
> --
> Ryan Pavely
> Director Research And Development
> Net Access Corporation
> http://www.nac.net/ http://www.15minuteservers.com/
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list