allow-query and views

Thu Feb 21 19:22:53 UTC 2013

On 02/21/2013 02:04 PM, Vernon Schryver wrote:
>> From: Robert Moskowitz <rgm at htt-consult.com>
>> Whow...  This is news.  A hidden view?  Where is this documented.
> The ARM says in part:
>
>    Built-in server information zones
>      The server provides some helpful diagnostic information through a
>      number of built-in zones under the pseudo-top-level-domain bind
>      in the CHAOS class. These zones are part of a built-in view (see
>      the section called "view Statement Grammar") of class CHAOS which
>      is separate from the default view of class IN; therefore, any
>      global server options such as allow-query do not apply the these
>      zones.  If you feel the need to disable these zones, use the options
>      below, or hide the built-in CHAOS view by defining an explicit
>      view of class CHAOS that matches all clients.

Oy vey, through a glass darkly.  Pieces come back to me about things I 
learned when Kevin introduced me to bind back in '93 and since then I 
have only delved into it when I did an upgrade (like right now!).

I missed Chaosnet, I was doing X.25 stuff around then.  Of course use it 
for odds and ends these days.

And I seemed to have tighted up my rules real tight.  In the global 
options I have locked down queries to only localhost, then open it up in 
the views.  I just tested externally and no access to chaos now.  Here 
is the log entry:

Feb 21 14:14:37 onlo named[24803]: client 70.194.0.112#9517: query 
'version.bind/TXT/CH' denied

>
>>                                                                     I
>> have no restrictions in my general options section.  Figured that the
>> specific view ones were all that was needed.  Now I am upset.
> It's not a real view, because that you can't change it except by
> editing the BIND source, using the version, hostname, and server-id
> options, hiding it as the ARM says, or with default options.