North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: sorry to ruin several of your evenings...
So, I said this about controlling who can query "version.bind": > "allow-query" lets you control who can see that information: > > zone "bind" chaos { > allow-query { > 127.0.0.1 ; > xxx.xxx.xxx.xxx/len ; > } ; > type master; > file "filename"; > }; and Rob Thomas was kind enough to point out that this caused bind9 to dump core. I did, in fact, take the example from a bind8 server. I tried replicating it in bind9, and while it didn't dump core (perhaps that was 9.0.x behavior?), on 9.1.0 the log messages suggested that I acquaint myself with "views." I did, and a named.conf for a recursive server that only allows localhost to access the "bind" zone for class "CHAOS" while performing general recursive service for class "IN" is: view "external" { match-clients { any ; } ; zone "127.in-addr.arpa" { type master ; notify no ; file "primary/127.in-addr.arpa" ; } ; zone "." { type hint ; file "cache/cache.db" ; } ; } ; view "local" chaos { match-clients { 127.0.0.1 ; } ; zone "bind" { type master ; file "primary/bind" ; } ; zone "." { type hint ; file "cache/cache.chaos" ; } ; } ; Zone file contents are left as an exercise to the reader; it seems to do the trick in restricting access in the same manner as my bind8 example. Thank you to Rob for pointing out that my solution only worked for bind8; hopefully this helps anyone trying to puzzle it out for bind9. Stephen
|