allow-query and views
Robert Moskowitz
rgm at htt-consult.com
Thu Feb 21 19:26:38 UTC 2013
On 02/21/2013 02:16 PM, Vernon Schryver wrote:
>> The ARM says in part:
>>
>> Built-in server information zones
>> The server provides some helpful diagnostic information through a
>> number of built-in zones under the pseudo-top-level-domain bind
>> in the CHAOS class. These zones are part of a built-in view (see
>> the section called "view Statement Grammar") of class CHAOS which
>> is separate from the default view of class IN; therefore, any
>> global server options such as allow-query do not apply the these
>> zones. If you feel the need to disable these zones, use the options
>> below, or hide the built-in CHAOS view by defining an explicit
>> view of class CHAOS that matches all clients.
> Now that I read what I wrote, I see that it's wrong.
>
> I found and just now verified that options{allow-query{}} affects
> the _bind view at least in 9.10.0pre-alpha with the rrl and rpz2
> patches. I found that feature (or perhap bug) when I decided to
> stop hiding the version I use lest anyone think I don't do what I
> advocate with BIND patches.
>
> I don't know whether the bug is in the ARM or the code. If you
> pick one, I can argue the other.
Well my named.conf now has in general options:
allow-query { localhost; };
allow-query-cache { localhost; };
recursion no;
And no access to the chaos zone from my testing out on the internet.
More information about the bind-users
mailing list