9.3.1 - views leak forwarding type zones?

Stefan Schmidt zaphodb--bind at zaphods.net
Mon Jun 20 13:40:02 UTC 2005 

Hey guys,

i have a problem with the following setup. singlestage.dnsbl.freenet.de should
only be accessible via view 'internal' but is leaking to 'external' with bind
9.3.1. Is this a bug or is the documentation simply missing a 'views don't work with zone-type forwarding'?

Jun 20 13:23:22 rbldns0 named[24942]: client 10.1.53.8#32830: view internal:
query: 2.0.0.127.singlestage.dnsbl.freenet.de IN A +
Jun 20 13:23:25 rbldns0 named[24942]: client 194.97.7.90#54498: view external:
query: 2.0.0.127.list.dsbl.org IN A +
Jun 20 13:23:41 rbldns0 named[24942]: client 194.97.7.90#54518: view external:
query: 2.0.0.127.singlestage.dnsbl.freenet.de IN A +

view "internal" {
        recursion yes;
        match-clients {
                127.0.0.1;
                10.1.53.0/24;
                mailserver;
        };
        allow-query {
                127.0.0.1;
                10.1.53.0/24;
                mailserver;
        };
        zone "singlestage.dnsbl.freenet.de" {
                type forward;
                forward first;
                forwarders {
                        127.0.0.2;
                };
        };
        zone "csa.dnsbl.freenet.de" {
                type forward;
                forward first;
                forwarders {
                        127.0.0.2;
                };
        };
        zone "relays.ordb.org" {
                type forward;
                forward first;
                forwarders {
                        127.0.0.2;
                };
        };
};

view "external" {
        recursion yes;
        match-clients {
                0.0.0.0/0;
        };
        allow-query {
                0.0.0.0/0;
        };
        zone "list.dsbl.org" {
                type forward;
                forwarders {
                        127.0.0.2;
                };
        };
        zone "unconfirmed.dsbl.org" {
                type forward;
                forward first;
                forwarders {
                        127.0.0.2;
                };
        };
        zone "multihop.dsbl.org" {
                type forward;
                forward first;
                forwarders {
                        127.0.0.2;
                };
        };
        zone "127.in-addr.arpa" {
                type master;
                file "127";
        };
        
        zone "localhost" {
                type master;
                file "local";
        };
        
        zone "." {
                type hint;
                file "cache";
        };
        
        zone "com" {
                type delegation-only;
        };
        
        zone "net" {
                type delegation-only;
        };
        zone "cache.p2p" {
          type master;
          file "/var/named/prim/cache.p2p";
        };
        
        zone "edcache.p2p" {
          type master;
          file "/var/named/prim/edcache.p2p";
        };
};
best regards,
		Stefan Schmidt

PS: yes, better name for the acl would be mailserverS ;-)
-- 
panic("IRQ, you lose...");
2.2.16 /usr/src/linux/arch/mips/sgi/kernel/indy_int.c

More information about the bind-workers mailing list