"recursion available: denied" message even for non-recursive queries?
Kevin Darcy
kcd at daimlerchrysler.com
Thu Apr 4 22:33:52 UTC 2002
Mark_Andrews at isc.org wrote:
> >
> > gschmid at notes.cc.sunysb.edu wrote:
> >
> > > I'm running 9.2.0 on a Tru64/DEC UNIX box.
> > >
> > > In my named.conf file I have an
> > > allow-recursion { acl_list; };
> > > statement.
> > >
> > > Everything seems to be working as expected.
> > > Hosts on the acl list get answers to all queries.
> > > Hosts not on the acl list do not get answers to
> > > recursive queries.
> > >
> > > The question that I have is with the logging of the
> > > security category messages when my name server
> > > is queried from hosts not on the acl list.
> > >
> > > I get the following log message:
> > >
> > > recursion available: denied
> > >
> > > when hosts who are not on the acl list make
> > > recursive *and* non-recursive queries. I would
> > > have expected that message only when hosts
> > > not on the acl list make recursive queries.
> > > Why do I also get the message when hosts not
> > > on the acl list make non-recursive queries
> > > (and get answers to those non-rec. queries)?
> >
> > I'd consider it a logging bug. Even if the message is intended to be
> > purely informational, it shouldn't use the term "denied" in this
> situation, nor should it log to the "security" category.
> >
> >
> > - Kevin
>
> Well if you turn on debugging you get lots of additional
> things logged.
It's not a question of the quantity of messages, but the quality. The
message shouldn't be logged under "security" and use the (charged) verb
"deny" if it is completely routine, i.e. a non-recursing answer to a
non-recursive query. There are no security implications whatsoever to the
transaction, so why raise a red flag, even at the debug level?
- Kevin
More information about the bind-users
mailing list