Removing possibly unneeded modules in authoritative servers

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Tue Feb 7 17:56:12 UTC 2012


At Tue, 7 Feb 2012 01:40:34 +0000,
"Spain, Dr. Jeffry A." <spainj at countryday.net> wrote:

> Also I would like to propose a change to the default configuration of the Xfrout module for purposes of improved security. As things stand, a default installation of bind10 sets up an authoritative server with outgoing zone transfer capability. In the default configuration 'Xfrout/transfer_acl[0]  {"action": "ACCEPT"}    any     (default)' allows anybody to list out any zones that are loaded. I think it would be better to set this to '{"action": "REJECT"}    any', and thus require system administrators to explicitly define permissible outgoing zone transfer recipients. Perhaps you are already contemplating this as bind10 development continues, but it would be unfortunate to overlook this issue in an eventual production release.

This is basically following the default behavior of BIND 9.  In
general, we are trying to keep compatibility with BIND 9 unless
there's a specific reason to change that.  We can discuss this at
bind10-dev (maybe cc'ing to the users list in case you are interested
in it).

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.



More information about the bind10-users mailing list