9.7.0a2 - deny-answer-addresses
clemens fischer
ino-news at spotteswoode.dnsalias.org
Fri Aug 21 16:13:05 UTC 2009
Jeremy C. Reed wrote:
> Thank you very much for testing the alpha release.
My pleasure! I had a workaround resulting in dns-rebind protection in
my pdnsd[1] resolver, but pdnsd doesn't support dnssec and a few other
features.
[1] http://www.phys.uu.nl/~rombouts/pdnsd.html
>> deny-answer-addresses {
>> 127/8; 192.168/16; 10/8; 172.16/12;
>> } except-from {
>> "zen.spamhaus.org";
>> "dnsbl-1.uceprotect.net";
>> "dnsbl-1.uceprotect.net";
>
> This is repeated, resulting in "already exists" (via the RBT code).
>
> Maybe we can improve the configuration failure logging for this.
Now do I believe that! I must have read these lines dozens of times but
missed the obvious duplication!
> Not supported in a type forward zone.
"deny-answer-addresses" might be helpful in forwarding and maybe even
server zones.
clemens
More information about the bind-users
mailing list