Allow zone transfers - BIND.

AM am at
Wed Oct 4 22:47:26 UTC 2006

Kevin Darcy wrote:
> AM wrote:
>>Hi guys,
>>just a more detailed explanation on what the statement "allow-transfer".
>>Does it prevent to anyone to get the complete list of the registered hosts for a particular zone or does it apply also 
>>to machine that want to act as a server for a particular zone.
>>In "DNS and BIND" they say that on slave you should deny zone transfer to anyone, but does it prevent that anyone using 
>>nslookup get anyway the complete list of the hosts.
> It's used for both master/slave replication and client queries like the 
> "ls" command of nslookup. In more technical detail, it controls any 
> usage of the AXFR or IXFR extensions to the DNS protocol.
> I don't know why _DNS_and_BIND_ would say for slaves to deny zone 
> transfers completely. As long as you limit them to only "trusted" 

Because if you don't do so (and the slaves are the last ring of the chain) some one could get all 
the list from them. Last ring of the chain or last "authoritative" level means they don't responde 
to any other server pull requests.

> servers it should satisfy even the most paranoid security administrators 
> (offer them TSIG-based authentication if they need some icing on the 
> cake). 

I don't implement any kind of authentication, at least by now, maybe in the future.

> In fact, it is probably a good practice for each slave to list as 
> "masters" for any given zone the primary master and at least one other 
> slave -- that way if the master goes down for an extended period of 
> time, at least all of the slaves will replicate the most recent changes 
> that came out of the master amongst themselves, instead of perhaps 
> giving inconsistent answers for the duration of the outage.

Do you mean that, each slave must refer as a "master" to the primary master and to the other n-1 slaves?

> Implied in the practice of listing multiple "masters" on each slave, of course, is 
> corresponding authority, defined on the master side, for all of those 
> slaves to actually transfers the zone(s) in question.

I'm quite weak on this topic.

To be honest each company has got 2 server. Grouping more companies I could fall into the scenario 
you depicted. So, regarding the post on how to reply domain names entries, are you telling me that 
the "connection type" among the DNS should be a mesh? Each one eventually asking data to all the 
others in the group?
By the time being we have just two masters and two slave. Maybe doing a mesh wouldn't be such a 
difficult task, but if I needed to put more servers in the group I would need to update the old 
servers one by one.

Thank you very much,
you made me the DNS world much more friendly and a little bit less dark than it was before.


More information about the bind-users mailing list