Allow-query setting for server-info and empty-zones
Mark Andrews
Mark_Andrews at isc.org
Mon Jan 7 03:57:48 UTC 2008
> Can I again raise the subject of the effective "allow-query" setting
> for the server-info zones (CH/TXT/version.bind and friends) and for
> the "automatic empty zones" of BIND 9.4.x?
>
> A couple of months ago I wrote
>
> > 4. Queries against the empty-zones seem always to be allowed, while those
> > against the server-info zones respect the "allow-query" setting in
> > the "options" statement. This seems to me to be a bug.
>
> ... and it's still true in BIND 9.4.2
>
> Mark Andrews wrote in response
>
> > This one needs to be addressed.
>
> ... which sounded sort of hopeful. However, I don't see any match in the
> "Upcoming Fixes" list at www.isc.org.
>
> Incidentally, the fact that the options-level "allow-query" controls access
> to the server-info zones is (a) flatly in contradiction to what the ARM says:
>
> | Built-in server information zones
> ...
> | therefore, any global server options such as allow-query do not
> | apply the these zones.
The code is using the "allow-query-cache" acl. allow-query-cache
inherits from allow-query iff you have set allow-query.
> and (b) a source of embarrassment to me. For our authoritative-only servers
> we have an options-level "allow-query {[very-little];};" overridden for each
> zone with (mostly) "allow-query {any;};" -- this is so the named.conf will
> work with both 9.3.x and 9.4.x but disallow access to the cache. But this
> means that (almost) no-one can query the version.bind record on them, making
> us look as though we have a form of paranoia of which I disapprove :-)
Well stop using 9.3 constructs and start using 9.4 constructs.
"allow-query-cache {[very-little];};" and leave allow-query
to default to "allow-query {any;};".
> It seems to me that the current state is almost the opposite of what one
> really wants: empty zones should inherit the options-level (or view-level)
> allow-query setting, while server-info zones should get it set to "any".
> But maybe explicit control is needed as well?
>
> Ought I to approach bind9-bugs at isc.org with all this?
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list