Allow-query setting for server-info and empty-zones

[Chris Thompson]

On Jan 7 2008, Mark Andrews wrote:

[My original post in >>]
>>
>> Incidentally, the fact that the options-level "allow-query" controls access
>> to the server-info zones is (a) flatly in contradiction to what the ARM says:
>> 
>> | Built-in server information zones
>> ...
>> | therefore, any global server options such as allow-query do not 
>> | apply the these zones. 
>
>	The code is using the "allow-query-cache" acl.  allow-query-cache
>	inherits from allow-query iff you have set allow-query.

You are saying that "allow-query-cache" controls access to server information
zone contents? That would be mighty strange if true (since when are they part
of the cache?), and experiment with 9.4.2 shows that it is in fact false.

[Blocking one host in allow-query-cache and allow-recursion has no effect
on access to TXT/CH/version.bind from that host, while blocking it in 
allow-query alone leads to it getting a REFUSED response.]

>> and (b) a source of embarrassment to me. For our authoritative-only servers
>> we have an options-level "allow-query {[very-little];};" overridden for each
>> zone with (mostly) "allow-query {any;};" -- this is so the named.conf will
>> work with both 9.3.x and 9.4.x but disallow access to the cache. But this
>> means that (almost) no-one can query the version.bind record on them, making
>> us look as though we have a form of paranoia of which I disapprove :-)
>
>	Well stop using 9.3 constructs and start using 9.4 constructs.
>
>	"allow-query-cache {[very-little];};" and leave allow-query
>	to default to "allow-query {any;};".

<breath state=held>
Well, of course that *is* what I am going to do once I am sure that I will
not have to revert to 9.3.4-P1 in a hurry! Meanwhile I will keep a named.conf
that will work with both. That particular paranoia I am not in the least
ashamed off :-)
</breath>

-- 
Chris Thompson
Email: cet1 at cam.ac.uk