allow-query and views
Robert Moskowitz
rgm at htt-consult.com
Thu Feb 21 19:22:53 UTC 2013
On 02/21/2013 02:04 PM, Vernon Schryver wrote:
>> From: Robert Moskowitz <rgm at htt-consult.com>
>> Whow... This is news. A hidden view? Where is this documented.
> The ARM says in part:
>
> Built-in server information zones
> The server provides some helpful diagnostic information through a
> number of built-in zones under the pseudo-top-level-domain bind
> in the CHAOS class. These zones are part of a built-in view (see
> the section called "view Statement Grammar") of class CHAOS which
> is separate from the default view of class IN; therefore, any
> global server options such as allow-query do not apply the these
> zones. If you feel the need to disable these zones, use the options
> below, or hide the built-in CHAOS view by defining an explicit
> view of class CHAOS that matches all clients.
Oy vey, through a glass darkly. Pieces come back to me about things I
learned when Kevin introduced me to bind back in '93 and since then I
have only delved into it when I did an upgrade (like right now!).
I missed Chaosnet, I was doing X.25 stuff around then. Of course use it
for odds and ends these days.
And I seemed to have tighted up my rules real tight. In the global
options I have locked down queries to only localhost, then open it up in
the views. I just tested externally and no access to chaos now. Here
is the log entry:
Feb 21 14:14:37 onlo named[24803]: client 70.194.0.112#9517: query
'version.bind/TXT/CH' denied
>
>> I
>> have no restrictions in my general options section. Figured that the
>> specific view ones were all that was needed. Now I am upset.
> It's not a real view, because that you can't change it except by
> editing the BIND source, using the version, hostname, and server-id
> options, hiding it as the ARM says, or with default options.
More information about the bind-users
mailing list