Re: Bind 9.20.15 denying transfer to secondaries?
Hi, On Thursday, 11. December 2025 07:28:39 (+01:00), Benoît Panizzon wrote: > Isn't there a setting which automatically allows all NS in a zone to > perform a transfer? > > Now I have to configure the secondaries for each zone, and > unfortunately this are not always the same. > you could configure your zonetransfers to be secured by TSIG keys. That way the authentication of zone transfers is independent from the IP addresses. TSIG key authentication is also considered more secure compared with IP address authentication. Greetings Carsten -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20.15 denying transfer to secondaries?
Hi Benoît, > Isn't there a setting which automatically allows all NS in a zone to > perform a transfer? I think you might be confusing "allow-transfer" with "notify": https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-notify -- Best regards, Michał Kępień -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20.15 denying transfer to secondaries?
On 11/12/2025 07:28, Benoît Panizzon wrote: Isn't there a setting which automatically allows all NS in a zone to perform a transfer? Now I have to configure the secondaries for each zone, and unfortunately this are not always the same. You can just set "allow-transfer" to "any" to get back the previous behaviour for now. When you have more time, you can configure per-zone allow-transfer settings, and then remove the global setting. Regards, Anand -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20.15 denying transfer to secondaries?
Hi Ben >Correct. allow-transfer now defaults to "none". > > https://kb.isc.org/docs/bind-920-changes#runtime-configuration > > https://downloads.isc.org/isc/bind9/cur/9.20/doc/arm/html/notes.html#id43 > >Always read the release notes. :-) I eventually found them... So I guess I never realised that transfers were globally allowed before? Isn't there a setting which automatically allows all NS in a zone to perform a transfer? Now I have to configure the secondaries for each zone, and unfortunately this are not always the same. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20.15 denying transfer to secondaries?
On 12/10/25 06:13, Benoît Panizzon wrote: Of course, I could specify allow-transfer to explicitly allow the ip addresses of the secondaries for each zone. Correct. allow-transfer now defaults to "none". https://kb.isc.org/docs/bind-920-changes#runtime-configuration https://downloads.isc.org/isc/bind9/cur/9.20/doc/arm/html/notes.html#id43 Always read the release notes. :-) -- Ben -- Any opinions expressed in this message are those of the author alone. All information is provided without warranty of any kind. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
