query cache and BIND 9.4.1-P1

Mark Andrews Mark_Andrews at isc.org
Wed Aug 8 22:56:04 UTC 2007


	If you have not sepecified allow-query or allow-query-cache
	or allow-recursion the default acls are.

	allow-query { any; };		// zones inherit this.
	allow-recursion { localnets; localhost; };
	allow-query-cache { localnets; localhost; };

	Mark

	--- 9.4.2b1 released ---

2206.   [security]      "allow-query-cache" and "allow-recursion" now
                        cross inherit from each other.

                        If allow-query-cache is not set in named.conf then
                        allow-recursion is used if set, otherwise allow-query
                        is used if set, otherwise the default (localnets;
                        localhost;) is used.

                        If allow-recursion is not set in named.conf then
                        allow-query-cache is used if set, otherwise allow-query
                        is used if set, otherwise the default (localnets;
                        localhost;) is used.

                        [RT #16987]

2202.   [security]      The default acls for allow-query-cache and
                        allow-recursion were not being applied. [RT #16960]

	--- 9.4.0 released ---

2006.   [security]      Allow-query-cache and allow-recursion now default
                        to the builtin acls "localnets" and "localhost".

                        This is being done to make caching servers less
                        attractive as reflective amplifying targets for
                        spoofed traffic.  This still leave authoritative
                        servers exposed.

                        The best fix is for full BCP 38 deployment to
                        remove spoofed traffic.

1676.   [func]          New option "allow-query-cache".  This lets
                        allow-query be used to specify the default zone
                        access level rather than having to have every
                        zone override the global value.  allow-query-cache
                        can be set at both the options and view levels.
                        If allow-query-cache is not set allow-query applies.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list