named and use of resolv.conf? - how to "learn" this

Cathy Almond cathya at isc.org
Tue Aug 9 11:24:02 UTC 2016 

On 03/08/2016 14:59, Matthew Pounsett wrote:
> 
> 
> On 2 August 2016 at 19:50, Evan Hunt <each at isc.org
> <mailto:each at isc.org>> wrote:
> 
>     On Tue, Aug 02, 2016 at 05:04:33PM -0400, Matthew Pounsett wrote:
>     > Yes it will.  But, as far as I understand, it uses the recursive code paths
>     > to do that, and won't consult resolv.conf.  Yes?
> 
>     Correct. However, an option to use the system resolver for this instead
>     is a feature request we've been considering.
> 
>     The reason: Whenever we find a security bug that affects recursive
>     operation only, someone who runs an auth-only server inevitably asks
>     whether their system is affected, and we always have to say, "well,
>     *probably* not, but recursive code *is* sometimes used in authoritative
>     servers in order to blah blah etc" and it might be nice to just say no.
> 
> 
> I'd suggest another reason:  the auth server should be subject to the
> same resolution path/rules as other software in the network.  If, for
> example, I've got some resolution exception configured in my local
> recursive servers (such as a per-zone forwarding rule) it seems likely
> I'd want the authoritative server to follow that without having to also
> configure it into the authoritative server.

Per Tony Finch's later suggestion - you can achieve the equivalent by
setting up global forwarding to your recursive servers from your
authoritative-only server (it'll do it slightly differently than most
resolver stubs though, because it will learn which recursive servers are
most responsive and use those in preference to the order in which they
appear in resolv.conf, and you don't get to set the domain or the
searchlist - but really, those are irrelevant...).

One caveat if we implement this, is that by making named use the local
resolver libs instead of doing its own recursion is that yes, you're
avoiding issues that affect recursive-only behaviour of named, but
instead, you're replacing those with any vulnerabilities or weaknesses
in the libs that the system-provided resolver stub is using.  So it
would likely be a 'use with care and knowledge' type of configurable
option.

(The grass looks greener, but when you come closer...)

Cathy

More information about the bind-users mailing list