diff --git a/CHANGES b/CHANGES index 0705700295..6dfae786e8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,14 @@ +2006. [security] Allow-query-cache and allow-recursion now default + to the builtin acls "localnets" and "localhost". + + This is being done to make caching servers less + attractive as reflective amplifying targets for + spoofed traffic. This still leave authoritative + servers exposed. + + The best fix is for full BCP 38 deployment to + remove spoofed traffic. + 2005. [bug] libbind: Retransmission timeouts should be based on which attempt it is to the nameserver and not the nameserver itself. [RT #13548] diff --git a/bin/named/config.c b/bin/named/config.c index 1e9b94ff0f..c20e6019a1 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.71 2006/03/06 01:27:51 marka Exp $ */ +/* $Id: config.c,v 1.72 2006/03/09 03:30:18 marka Exp $ */ /*! \file */ @@ -103,7 +103,8 @@ options {\n\ /* view */\n\ allow-notify {none;};\n\ allow-update-forwarding {none;};\n\ - allow-recursion {any;};\n\ + allow-query-cache { localnets; localhost; };\n\ + allow-recursion { localnets; localhost; };\n\ # allow-v6-synthesis ;\n\ # sortlist \n\ # topology \n\ diff --git a/bin/named/server.c b/bin/named/server.c index fa62826319..7fdbdaf5ff 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.459 2006/02/28 02:39:51 marka Exp $ */ +/* $Id: server.c,v 1.460 2006/03/09 03:30:18 marka Exp $ */ /*! \file */ @@ -1430,8 +1430,9 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, CHECK(configure_view_acl(vconfig, config, "allow-query-cache", actx, ns_g_mctx, &view->queryacl)); if (view->queryacl == NULL) - CHECK(configure_view_acl(vconfig, config, "allow-query", - actx, ns_g_mctx, &view->queryacl)); + CHECK(configure_view_acl(NULL, ns_g_defaults, + "allow-query-cache", actx, + ns_g_mctx, &view->queryacl)); if (strcmp(view->name, "_bind") != 0) CHECK(configure_view_acl(vconfig, config, "allow-recursion", @@ -1450,6 +1451,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, "both \"recursion no;\" and \"allow-recursion\" " "active%s%s", forview, viewname); + /* + * Set default "allow-recursion" acl. + */ + if (view->recursionacl == NULL && view->recursion) + CHECK(configure_view_acl(NULL, ns_g_defaults, "allow-recursion", + actx, ns_g_mctx, &view->recursionacl)); + CHECK(configure_view_acl(vconfig, config, "sortlist", actx, ns_g_mctx, &view->sortlist)); diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 14958e5e70..c3d888ea46 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -3069,20 +3069,21 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. and whether the element was negated. - - When used as an access control list, a non-negated match allows - access and a negated match denies access. If there is no match, - access is denied. The clauses allow-notify, - allow-query, allow-query-cache, - allow-transfer, - allow-update, allow-update-forwarding, - and blackhole all use address match - lists. - Similarly, the listen-on option will cause the server to not - accept - queries on any of the machine's addresses which do not match the - list. - + + When used as an access control list, a non-negated match + allows access and a negated match denies access. If + there is no match, access is denied. The clauses + allow-notify, + allow-query, + allow-query-cache, + allow-transfer, + allow-update, + allow-update-forwarding, and + blackhole all use address match + lists. Similarly, the listen-on option will cause the + server to not accept queries on any of the machine's + addresses which do not match the list. + Because of the first-match aspect of the algorithm, an element @@ -5772,64 +5773,57 @@ options { - - allow-query - - - Specifies which hosts are allowed to - ask ordinary DNS questions. allow-query may also - be specified in the zone - statement, in which - case it overrides the options allow-query statement. - allow-query-cache may also be - specified and will - overrides access to the cache. - If not specified, the default is to allow queries from all - hosts. - - - + + allow-query + + + Specifies which hosts are allowed to ask ordinary + DNS questions. allow-query may + also be specified in the zone + statement, in which case it overrides the + options allow-query statement. + If not specified, the default is to allow queries + from all hosts. + + + + allow-query-cache is now + used to specify access to the cache. + + + + - - allow-query-cache - - - Specifies which hosts are allowed to get answers - from the cache. If not set allow-query applies. - - - The recommended way to set query access to the cache is now - via - allow-query-cache rather than - allow-query. - Inheritance from allow-query - has been retained for - backwards compatability. - - - - If allow-query-cache is set - at the options - level and not set in the view it will still override a - allow-query set at the view - level. - - - - + + allow-query-cache + + + Specifies which hosts are allowed to get answers + from the cache. The default is the builtin acls + localnets and + localhost. + + + The way to set query access to the cache is now + via allow-query-cache. + This differs from earlier versions which used + allow-query. + + + allow-recursion - Specifies which hosts are allowed to - make recursive queries through this server. If not - specified, the - default is to allow recursive queries from all hosts. - Note that disallowing recursive queries for a host does not - prevent the - host from retrieving data that is already in the server's - cache. + Specifies which hosts are allowed to make recursive + queries through this server. If not specified, + the default is to allow recursive queries from + the builtin acls localnets and + localhost. + Note that disallowing recursive queries for a + host does not prevent the host from retrieving + data that is already in the server's cache.