Removing possibly unneeded modules in authoritative servers

Spain, Dr. Jeffry A. spainj at countryday.net
Tue Feb 7 01:40:34 UTC 2012 

>> My questions are as follows: On NSB0 in bindctl, can I execute 'config remove Boss/components b10-xfrin' since the hidden master is only doing outgoing transfers to NSB0S? Similarly on NSB1 and NSB2, can I execute 'config remove Boss/components b10-xfrout' since these servers are only doing incoming zone transfers from NSB0S? Or is there some interdependency between Xfrin and Xfrout that will cause things to not go well if I remove one of them? Thanks.

>These two are independent, you can safely remove them. Also, zone manager works together with xfrin to refresh the zones, so you can remove that one from one of the hosts (NSB0S). The authoritative server is needed for xfrout, but not needed for xfrin (because it listens for the queries on port 53 on behalf of the xfrout).

Thank you. I verified that for the hidden master (NSB0), I can remove the b10-xfrin and b10-zonemgr modules, and everything still seems to work in terms of outgoing zone transfers. With the slave servers (NSB1 and NSB2) I can remove the b10-xfrout module but not the b10-auth module. Without b10-auth, these servers don't respond to any queries on their authoritative zones.

Also I would like to propose a change to the default configuration of the Xfrout module for purposes of improved security. As things stand, a default installation of bind10 sets up an authoritative server with outgoing zone transfer capability. In the default configuration 'Xfrout/transfer_acl[0]  {"action": "ACCEPT"}    any     (default)' allows anybody to list out any zones that are loaded. I think it would be better to set this to '{"action": "REJECT"}    any', and thus require system administrators to explicitly define permissible outgoing zone transfer recipients. Perhaps you are already contemplating this as bind10 development continues, but it would be unfortunate to overlook this issue in an eventual production release.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind10-users mailing list