On 02/21/2013 02:04 PM, Vernon Schryver wrote:
From: Robert Moskowitz <r...@htt-consult.com>
Whow... This is news. A hidden view? Where is this documented.
The ARM says in part:
Built-in server information zones
The server provides some helpful diagnostic information through a
number of built-in zones under the pseudo-top-level-domain bind
in the CHAOS class. These zones are part of a built-in view (see
the section called "view Statement Grammar") of class CHAOS which
is separate from the default view of class IN; therefore, any
global server options such as allow-query do not apply the these
zones. If you feel the need to disable these zones, use the options
below, or hide the built-in CHAOS view by defining an explicit
view of class CHAOS that matches all clients.
Oy vey, through a glass darkly. Pieces come back to me about things I
learned when Kevin introduced me to bind back in '93 and since then I
have only delved into it when I did an upgrade (like right now!).
I missed Chaosnet, I was doing X.25 stuff around then. Of course use it
for odds and ends these days.
And I seemed to have tighted up my rules real tight. In the global
options I have locked down queries to only localhost, then open it up in
the views. I just tested externally and no access to chaos now. Here
is the log entry:
Feb 21 14:14:37 onlo named[24803]: client 70.194.0.112#9517: query
'version.bind/TXT/CH' denied
I
have no restrictions in my general options section. Figured that the
specific view ones were all that was needed. Now I am upset.
It's not a real view, because that you can't change it except by
editing the BIND source, using the version, hostname, and server-id
options, hiding it as the ARM says, or with default options.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
