Re: transfer-source / notify-source warnings if a port is specified
Duncan wrote: > > Is there any option to suppress warnings if using transfer-source / > notify-source specifying ports ? There are good reasons for these warnings. NOTIFY uses UDP, and source port randomization in UDP is important to protect against spoofing. Spoofing NOTIFY is relatively harmless, but it does create more work for the target server than other requests, so you don't want to make it easy. Zone transfers use TCP. A TCP connection is identified by its 4-tuple: its source and destination addresses and ports. Multiple concurrent TCP connections to the same server require differing source ports, because the rest of the 4-tuple must be the same. If you fix your zone transfer TCP source port, then every zone transfer to your server from its upstream (primary/master) will have the same 4-tuple. This means you will only be able to perform one zone transfer at a time because there can only be one TCP connection at a time with the same 4-tuple. You are also probably going to have an unhappy encounter with the various TCP connection shutdown timers (FIN_WAIT, CLOSE_WAIT, etc.) that prevent successive TCP connections with the same 4-tuple from getting muddled up. So you can suppress the warnings, and avoid the problems they are warning you about, by not specifying the source ports. Tony. -- f.anthony.n.finchhttps://dotat.at/ Southwest Forties, Cromarty, Forth, Tyne, Dogger: Southwesterly 5 to 7, occasionally gale 8 at first except in Cromarty, then decreasing 4 at times. Moderate or rough in southwest Forties and Dogger, but elsewhere slight or moderate. Rain or showers. Good, occasionally poor for a time. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transfer-source / notify-source warnings if a port is specified
On 29.12.21 18:58, Duncan wrote: Is there any option to suppress warnings if using transfer-source / notify-source specifying ports ? yes, don't specify source port. /etc/bind/named.conf:90: 'notify-source': specifying a port is not recommended /etc/bind/named.conf:91: 'notify-source-v6': specifying a port is not recommended /etc/bind/named.conf:88: 'transfer-source': specifying a port is not recommended /etc/bind/named.conf:89: 'transfer-source-v6': specifying a port is not recommended I know that this is NOT recommended, just looking for an option to suppress these warnings. what's the reason for specifying source port for zone transfers? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
transfer-source / notify-source warnings if a port is specified
Hi! Is there any option to suppress warnings if using transfer-source / notify-source specifying ports ? /etc/bind/named.conf:90: 'notify-source': specifying a port is not recommended /etc/bind/named.conf:91: 'notify-source-v6': specifying a port is not recommended /etc/bind/named.conf:88: 'transfer-source': specifying a port is not recommended /etc/bind/named.conf:89: 'transfer-source-v6': specifying a port is not recommended I know that this is NOT recommended, just looking for an option to suppress these warnings. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users