Strange Behavior
Kevin Darcy
kcd at chrysler.com
Mon Oct 26 19:53:43 UTC 2009
Lawrence MacIntyre wrote:
> Hi:
>
> I have a name server running named on a closed network. The root
> servers name my node and another node (running DNS on a sidewinder
> firewall) as authoritative for our domain as well as several
> subdomains. Two of the subdomains have their own servers, and we
> configured our (allegedly authoritative) servers as slaves to the
> subdomain servers. This worked well for several years. Now, these
> subdomains have decided (for "security" reasons) that they are going
> to disallow zone transfers to us. So we set our servers to forward
> requests to the subdomain nameservers. The sidewinder does this, but
> our server doesn't. It simply reports that it has no information about
> any node in the subdomain. Remote users report that when they use dig
> +trace @ourserver node.in.subdomain, they see referrals to the
> Internet root servers. Our hints file has the correct root servers,
> and we don't even have a file listing the Internet root servers. I
> cannot verify their claims, as it doesn't do that when queried from
> our site, and I have no access to an account on any remote site.
>
> What does named do when it is listed as authoritative for a domain by
> the root servers, but is configured to forward requests for addresses
> in that domain? Does anyone know how the remote users could see
> referrals to the Internet root servers even though we have the correct
> root servers set in our nameserver?
I started a long tirade about clueless admins who take the mantra "zone
transfers are insecure" way too far, but I think the more terse and
level-headed response is
a) BIND will never recurse a non-recursive query, and non-recursive
queries is what it gets when arbitrary resolvers query yours as a result
of following the resolution of the query down the delegation chain (e.g.
what one sees in dig +trace)
b) if you want to recurse a query that wasn't recursive to begin with, I
think this falls under the generic heading of "proxying DNS". BIND
doesn't support that, but I'm presuming that's what the Sidewinder is doing,
c) in architectural terms, you simply *cannot* be "authoritative" for a
zone if you don't replicate the full contents of the zone, either
in-protocol (AXFR/IXFR) or via some "out-of-band" mechanism (e.g. rsync),
d) are these subdomains being hosted on BIND or something that supports
TSIG? Perhaps offering to TSIG-authenticate your zone transfers might
satisfy their security requirements...
- Kevin
More information about the bind-users
mailing list