Allowing recursive queries of 'static-stub' zones
Mark Andrews
marka at isc.org
Thu Jan 29 20:58:34 UTC 2015
Firstly allow-query on a static stub does nothing. The parser
allows it because it has to allow every possible combination and
we missed blocking this at the post parse stage. The cache only
has one acl.
You should be a master for 31-24.2.1.10.in-addr.arpa and a slave
for 2.1.10.in-addr.arpa. This is by far the easiest way to do RFC
2317 setups.
You ISP should be a master for 2.1.10.in-addr.arpa and a slave for
31-24.2.1.10.in-addr.arpa. All the other slaves of 2.1.10.in-addr.arpa
should be slaves for 31-24.2.1.10.in-addr.arpa.
You internal recursive servers should be master/slaves of
2.1.10.in-addr.arpa, 31-24.2.1.10.in-addr.arpa and your internal
zones. Yes, this is mixing recursive and authoritatives service.
This is fine.
KISS is the principle people should be using. Stub, static-stub
and forward zones are all over used.
Addionally obscuring names does not help anyone. ALL and I repeat
ALL it does is stop people checking that what you have told us
matches with reality. It is not a security issue. It has never
been a security issue. Knowing the name and addresses of machines
is not and never has been a security issue.
Even back in the past with .rhosts and rsh if the local nameserver
has a copy if the zones which contained the names in .rhosts you
were secure. It was when you didn't let people transfer the zone
you were insecure.
Mark
In message <lylhklmu1f.fsf at ensc-virt.intern.sigma-chemnitz.de>, Enrico Scholz w
rites:
> Matus UHLAR - fantomas <uhlar at fantomas.sk> writes:
>
> >>I am trying to setup a nameserver which:
> >>
> >>a) allows recursive queries from certain clients only, but
> >>
> >>b) provides responses for a static-stub zone (which is used to return
> >> PTR records for an RFC2317 setup)
> >>
> >>Although I have set 'allow-query { any; };' in the static-stub zone, I
> >>get a REFUSED for clients not enabled in a).
> > [...]
> >>How can I enable recursive queries for 'static-stub' zones?
> >
> > static-stub only points server to other servers to look up, therefore it
> > needs recursion too.
>
> ok; some more details. I have a '31-24.2.1.10.in-addr.arpa.' RFC2317 zone
> and my DNS server is authoritative for it (obfuscated; this corresponds to
> "localhost" zone in my initial example). This zone can be queried from
> everywhere.
>
> This server must allow recursive queries from internal clients (those
> in the global 'allow-query' list) and it must be able to resolve
> '25.2.1.10.in-addr.arpa.' and the other ip addresses from this range.
>
> Although not strictly necessary, resolving of '25.2.1.10.in-addr.arpa.'
> should be possible from outside (--> not covered by global allow-query
> list) too.
>
>
> > Do you want to provice RFC2318 zones for anyont or just for your
> > clients? In the latter case the allow-recursion should help you for
> > both cases, you don't need to specify allow-query.
>
> I guess, I want the first case...
>
>
>
> Enrico
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list