DNS Security

Jim Reid jim at rfc1035.com
Mon Dec 27 20:56:46 UTC 1999


>>>>> "Bill" == wwebb  <wwebb at adni.net> writes:


    Bill> If so, then what is the purpose of the "allow-query { any; }
    Bill> entry above?
    >>  This entry means that there'a an ACL of "any" for the
    Bill> acmebw.com
    >> zone. Anybody anywhere can send the name server queries for
    >> names in that zone, which is how things generally should
    >> be. The zone-specific ACL is applied instead of the global
    >> one....

    Bill> Aside from the master zone stateements, is it necessary to
    Bill> have "allow-query { any; } in the slave zone statements to
    Bill> overcome the global one ?

Your question is ambiguously worded. Are you concerned about slave
zones in general that have (or don't have) ACLs or are you asking
about slave servers for a zone where its master server has an ACL?

If there's a global ACL and you don't want it to be applied for some
zone - whether the name server is master or slave for that zone is
irrelevant - you have to supply a zone-specific ACL. If the global ACL
is good enough, then a zone-specific ACL isn't needed. Whether adding or
removing ACLs from a slave zone statement is necessary or not depends
on what it is you're tryng to do.

If you *must* have ACLs, it's probably safest and cleanest to add
explicit ACLs to each zone statement. This will clearly define
whatever access control policy(s) you want the name server to
implement. Mean what you say and say what you mean and all that.



More information about the bind-users mailing list