allow-query and version.bind

Andris Kalnozols andris at hpl.hp.com
Sun Oct 24 03:06:32 UTC 2004


> On Oct 15, Andris Kalnozols <andris at hpl.hp.com> wrote:
> 
> Summary: I'm trying to make version.bind and the other similar labels
> available even if options { allow-query { } } restricts queries by
> default.
> 
> >Here's how we do this at HP Labs:
> No luck...
> 
> I tried this:
> 
> view "chaos" chaos {
>   match-clients { any; };
>   allow-query { any; };
>   allow-recursion { any; };
>   zone "." {
>     type hint;
>     file "/dev/null";
>   };
> };
> 
> But now I get a SERVFAIL:
> 
> md at wonderland:~$bindver 213.92.8.2
> VERSION.BIND TXT record in class CH not found, server failure
> md at wonderland:~$
> 
> The debugging log is not helpful:
> 
> Oct 15 14:43:44.052 client: debug 3: client 151.44.134.16#51090: UDP request
> Oct 15 14:43:44.052 client: debug 5: client 151.44.134.16#51090: using view 'chaos'
> Oct 15 14:43:44.052 client: debug 3: client 151.44.134.16#51090: query
> Oct 15 14:43:44.052 client: debug 10: client 151.44.134.16#51090: ns_client_attach: ref = 1
> Oct 15 14:43:44.053 client: debug 3: client 151.44.134.16#51090: replace
> Oct 15 14:43:44.053 general: debug 3: clientmgr @0x100ae438: createclients
> Oct 15 14:43:44.053 general: debug 3: clientmgr @0x100ae438: recycle
> Oct 15 14:43:44.053 resolver: debug 1: createfetch: VERSION.BIND TXT
> Oct 15 14:43:44.053 resolver: debug 3: fctx 0x10783270: create
> Oct 15 14:43:44.053 client: debug 3: client 151.44.134.16#51090: error
> Oct 15 14:43:44.054 client: debug 3: client 151.44.134.16#51090: send
> Oct 15 14:43:44.054 client: debug 3: client 151.44.134.16#51090: sendto
> Oct 15 14:43:44.054 client: debug 3: client 151.44.134.16#51090: senddone
> Oct 15 14:43:44.054 client: debug 3: client 151.44.134.16#51090: next
> Oct 15 14:43:44.054 client: debug 10: client 151.44.134.16#51090: ns_client_detach: ref = 0
> Oct 15 14:43:44.054 client: debug 3: client 151.44.134.16#51090: endrequest
> 
> 
> Your recipe for BIND 8 does not work either, because the loaded zone
> masks the RR which are usually generated by BIND.
> 
> -- 
> ciao, |
> Marco | [8576 caeWxBWD.4/Pk]


Sorry, I didn't follow this thread from the original post and just
jumped in with a conventional recipe.  Here's how to get what you
want:

  Move your `allow-query { friends; };' statement out of the global
  options and into a view that defines your zones in the IN class,
  e.g.,

    options {
      directory "/var/cache/bind";

      allow-recursion { friends; };
      ...
    };

    view "default" in {
      match-clients { any; };
      allow-query { friends; };

      zone "bofh.it" {
        type master;
        ...
      };
      ...
    };

The default global option of `allow-query { any; };' will still be
in effect for queries in the CHAOS class that match BIND9's built-in
"_bind" view.


Andris



More information about the bind-users mailing list