Allow-query setting for server-info and empty-zones
Chris Thompson
cet1 at hermes.cam.ac.uk
Sat Jan 5 20:02:11 UTC 2008
Can I again raise the subject of the effective "allow-query" setting
for the server-info zones (CH/TXT/version.bind and friends) and for
the "automatic empty zones" of BIND 9.4.x?
A couple of months ago I wrote
> 4. Queries against the empty-zones seem always to be allowed, while those
> against the server-info zones respect the "allow-query" setting in
> the "options" statement. This seems to me to be a bug.
... and it's still true in BIND 9.4.2
Mark Andrews wrote in response
> This one needs to be addressed.
... which sounded sort of hopeful. However, I don't see any match in the
"Upcoming Fixes" list at www.isc.org.
Incidentally, the fact that the options-level "allow-query" controls access
to the server-info zones is (a) flatly in contradiction to what the ARM says:
| Built-in server information zones
...
| therefore, any global server options such as allow-query do not
| apply the these zones.
and (b) a source of embarrassment to me. For our authoritative-only servers
we have an options-level "allow-query {[very-little];};" overridden for each
zone with (mostly) "allow-query {any;};" -- this is so the named.conf will
work with both 9.3.x and 9.4.x but disallow access to the cache. But this
means that (almost) no-one can query the version.bind record on them, making
us look as though we have a form of paranoia of which I disapprove :-)
It seems to me that the current state is almost the opposite of what one
really wants: empty zones should inherit the options-level (or view-level)
allow-query setting, while server-info zones should get it set to "any".
But maybe explicit control is needed as well?
Ought I to approach bind9-bugs at isc.org with all this?
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list