[34255] in North American Network Operators' Group
Re: sorry to ruin several of your evenings...
daemon@ATHENA.MIT.EDU (Stephen Stuart)
Thu Feb 1 03:21:21 2001
Message-Id: <200102010815.f118FNf88391@hi.tech.org>
To: nanog@merit.edu
In-reply-to: Your message of "Tue, 30 Jan 2001 12:38:01 PST."
<200101302038.f0UKc1f60062@hi.tech.org>
Date: Thu, 01 Feb 2001 00:15:23 -0800
From: Stephen Stuart <stuart@mfnx.net>
Errors-To: owner-nanog-outgoing@merit.edu
So, I said this about controlling who can query "version.bind":
> "allow-query" lets you control who can see that information:
>
> zone "bind" chaos {
> allow-query {
> 127.0.0.1 ;
> xxx.xxx.xxx.xxx/len ;
> } ;
> type master;
> file "filename";
> };
and Rob Thomas was kind enough to point out that this caused bind9 to
dump core. I did, in fact, take the example from a bind8 server. I
tried replicating it in bind9, and while it didn't dump core (perhaps
that was 9.0.x behavior?), on 9.1.0 the log messages suggested that I
acquaint myself with "views."
I did, and a named.conf for a recursive server that only allows
localhost to access the "bind" zone for class "CHAOS" while performing
general recursive service for class "IN" is:
view "external" {
match-clients {
any ;
} ;
zone "127.in-addr.arpa" {
type master ;
notify no ;
file "primary/127.in-addr.arpa" ;
} ;
zone "." {
type hint ;
file "cache/cache.db" ;
} ;
} ;
view "local" chaos {
match-clients {
127.0.0.1 ;
} ;
zone "bind" {
type master ;
file "primary/bind" ;
} ;
zone "." {
type hint ;
file "cache/cache.chaos" ;
} ;
} ;
Zone file contents are left as an exercise to the reader; it seems to
do the trick in restricting access in the same manner as my bind8
example.
Thank you to Rob for pointing out that my solution only worked for
bind8; hopefully this helps anyone trying to puzzle it out for bind9.
Stephen
