Allow zone transfers - BIND.
Kevin Darcy
kcd at daimlerchrysler.com
Wed Oct 4 00:11:50 UTC 2006
AM wrote:
> Hi guys,
>
> just a more detailed explanation on what the statement "allow-transfer".
>
> Does it prevent to anyone to get the complete list of the registered hosts for a particular zone or does it apply also
> to machine that want to act as a server for a particular zone.
> In "DNS and BIND" they say that on slave you should deny zone transfer to anyone, but does it prevent that anyone using
> nslookup get anyway the complete list of the hosts.
>
It's used for both master/slave replication and client queries like the
"ls" command of nslookup. In more technical detail, it controls any
usage of the AXFR or IXFR extensions to the DNS protocol.
I don't know why _DNS_and_BIND_ would say for slaves to deny zone
transfers completely. As long as you limit them to only "trusted"
servers it should satisfy even the most paranoid security administrators
(offer them TSIG-based authentication if they need some icing on the
cake). In fact, it is probably a good practice for each slave to list as
"masters" for any given zone the primary master and at least one other
slave -- that way if the master goes down for an extended period of
time, at least all of the slaves will replicate the most recent changes
that came out of the master amongst themselves, instead of perhaps
giving inconsistent answers for the duration of the outage. Implied in
the practice of listing mutiple "masters" on each slave, of course, is
corresponding authority, defined on the master side, for all of those
slaves to actually transfers the zone(s) in question.
- Kevin
More information about the bind-users
mailing list