False positive on inscure zone update by IP?

Michael Weiser michael at weiser.dinsnail.net
Fri Nov 18 17:32:26 UTC 2016


Hi,

today I noticed the following log messages from my caching-only bind on
startup:

zone 'localhost' allows updates by IP address, which is insecure
zone 'version.bind' allows updates by IP address, which is insecure
zone 'hostname.bind' allows updates by IP address, which is insecure
zone 'authors.bind' allows updates by IP address, which is insecure
zone 'id.server' allows updates by IP address, which is insecure

What's bugging me about those it that I have set allow-updates { none; }
in the global options section of my named.conf. Setting it on the
localhost zone explicitly doesn't change anything.

I've looked at the implementation of dns_acl_isinsecure() and got the
impression that there might simply be a check missing for special ACL
"none".

So I wonder: Can I ignore these messages?
-- 
Thanks,
Michael


More information about the bind-users mailing list