About "update" packets
Maurizio Colella
Maurizio.Colella at marconi.com
Wed Jun 16 14:28:18 UTC 2004
> Closing off TCP traffic to your name server is unwise. Don't do it.
.. yes, is true...
> Some things -- ie zone transfers -- only work over TCP.
.. you must to think that allow "zone transfer" to internet is a good help
for know what are our HOSTS to any hackers !
At the moment we don't need to perform never zone transfer, only because we
don't have some slave servers..
> perfectly reasonable for a client to make queries over a TCP
> connection too, even though most queries are done using UDP.
.. yes, is true ...
> This is also true for dynamic updates. They tend to be made over UDP but
can
> be done with a TCP connection: check out the -v option to nsupdate.
.. Ok.. so you give me the answer to my question..
> BTW, combining IP addresses and TSIG (or SIG(0)) keys in a BIND9 ACL
> is awkward. In other words, if you want to restrict access to clients
> who have specific IP addresses AND use a TSIG or SIG(0) key, it can be
> done. But it's clumsy.
> Consult the list archives.
.. Ok, I will do..
> You might not have configured your ACL the way you expected it to work.
..Yes, it is possible..
I've only big resource: "DNS and BIND" book 4th edition, other than this
mailing-list ;-)
This book suggest to use: ACL, TSIG, and a stantement named :
"update-policy"..
.. Jim, thanks for your prompt responce, I need to reach only one target
(not very simple ;-( ): "make my public's DNS more secure as possible !!."
Thank for all suggest.
More information about the bind-users
mailing list