sorry to ruin several of your evenings...
Stephen Stuart
stuart at mfnx.net
Thu Feb 1 08:15:23 UTC 2001
So, I said this about controlling who can query "version.bind":
> "allow-query" lets you control who can see that information:
>
> zone "bind" chaos {
> allow-query {
> 127.0.0.1 ;
> xxx.xxx.xxx.xxx/len ;
> } ;
> type master;
> file "filename";
> };
and Rob Thomas was kind enough to point out that this caused bind9 to
dump core. I did, in fact, take the example from a bind8 server. I
tried replicating it in bind9, and while it didn't dump core (perhaps
that was 9.0.x behavior?), on 9.1.0 the log messages suggested that I
acquaint myself with "views."
I did, and a named.conf for a recursive server that only allows
localhost to access the "bind" zone for class "CHAOS" while performing
general recursive service for class "IN" is:
view "external" {
match-clients {
any ;
} ;
zone "127.in-addr.arpa" {
type master ;
notify no ;
file "primary/127.in-addr.arpa" ;
} ;
zone "." {
type hint ;
file "cache/cache.db" ;
} ;
} ;
view "local" chaos {
match-clients {
127.0.0.1 ;
} ;
zone "bind" {
type master ;
file "primary/bind" ;
} ;
zone "." {
type hint ;
file "cache/cache.chaos" ;
} ;
} ;
Zone file contents are left as an exercise to the reader; it seems to
do the trick in restricting access in the same manner as my bind8
example.
Thank you to Rob for pointing out that my solution only worked for
bind8; hopefully this helps anyone trying to puzzle it out for bind9.
Stephen
More information about the NANOG
mailing list