Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
False positive on inscure zone update by IP?
1,129 views
Skip to first unread message
Michael Weiser
Nov 18, 2016, 2:18:01 PM11/18/16
to bind-...@lists.isc.org
Hi,
today I noticed the following log messages from my caching-only bind on
startup:
zone 'localhost' allows updates by IP address, which is insecure
zone 'version.bind' allows updates by IP address, which is insecure
zone 'hostname.bind' allows updates by IP address, which is insecure
zone 'authors.bind' allows updates by IP address, which is insecure
zone 'id.server' allows updates by IP address, which is insecure
What's bugging me about those it that I have set allow-updates { none; }
in the global options section of my named.conf. Setting it on the
localhost zone explicitly doesn't change anything.
I've looked at the implementation of dns_acl_isinsecure() and got the
impression that there might simply be a check missing for special ACL
"none".
So I wonder: Can I ignore these messages?
--
Thanks,
Michael
today I noticed the following log messages from my caching-only bind on
startup:
zone 'localhost' allows updates by IP address, which is insecure
zone 'version.bind' allows updates by IP address, which is insecure
zone 'hostname.bind' allows updates by IP address, which is insecure
zone 'authors.bind' allows updates by IP address, which is insecure
zone 'id.server' allows updates by IP address, which is insecure
What's bugging me about those it that I have set allow-updates { none; }
in the global options section of my named.conf. Setting it on the
localhost zone explicitly doesn't change anything.
I've looked at the implementation of dns_acl_isinsecure() and got the
impression that there might simply be a check missing for special ACL
"none".
So I wonder: Can I ignore these messages?
--
Thanks,
Michael
Michael Weiser
Nov 28, 2016, 7:00:46 AM11/28/16
to bind-...@lists.isc.org
Hi,
On Fri, Nov 18, 2016 at 06:32:26PM +0100, Michael Weiser wrote:
> zone 'localhost' allows updates by IP address, which is insecure
[...]
Should I take this to the devel list?
--
Thanks,
Michael
On Fri, Nov 18, 2016 at 06:32:26PM +0100, Michael Weiser wrote:
> zone 'localhost' allows updates by IP address, which is insecure
> So I wonder: Can I ignore these messages?
No idea, anyone?
Should I take this to the devel list?
--
Thanks,
Michael
Darcy Kevin (FCA)
Nov 28, 2016, 12:39:27 PM11/28/16
to bind-...@lists.isc.org
Well, I suppose it's a little silly that the informational message would count "none" as an "IP address", but on the other hand, why specify "allow-update { none; };" when that's the default? It probably never occurred to the creator/author of the informational message that someone would "superfluously" define an allow-update that exactly mirrors the default behavior.
If you're doing that only for documentation purposes, you could use a comment instead.
- Kevin
Thanks,
Michael
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
If you're doing that only for documentation purposes, you could use a comment instead.
- Kevin
So I wonder: Can I ignore these messages?
--
Thanks,
Michael
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Michael Weiser
Nov 28, 2016, 3:00:51 PM11/28/16
to Darcy Kevin (FCA), bind-...@lists.isc.org
Hi Kevin,
On Mon, Nov 28, 2016 at 05:39:16PM +0000, Darcy Kevin (FCA) wrote:
> why
> specify "allow-update { none; };" when that's the default?
[...]
researching the default) which indeed gets rid of the message. I'll
raise this with my Linux distribution (Gentoo).
--
Thanks again,
Michael
On Mon, Nov 28, 2016 at 05:39:16PM +0000, Darcy Kevin (FCA) wrote:
> why
> specify "allow-update { none; };" when that's the default?
> If you're doing that only for documentation purposes, you could use a
> comment instead.
Thanks Kevin! It never occured to me to just try commenting it out (and
> comment instead.
researching the default) which indeed gets rid of the message. I'll
raise this with my Linux distribution (Gentoo).
--
Thanks again,
Michael
Mark Andrews
Nov 28, 2016, 3:45:37 PM11/28/16
to Michael Weiser, Darcy Kevin (FCA), bind-...@isc.org
4507. [bug] Named could incorrectly log 'allows updates by IP
address, which is insecure' [RT #43432]
> --
> Thanks again,
> Michael
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
0 new messages