Well, I suppose it's a little silly that the informational message would count
"none" as an "IP address", but on the other hand, why specify "allow-update {
none; };" when that's the default? It probably never occurred to the
creator/author of the informational message that someone would "superfluously"
define an allow-update that exactly mirrors the default behavior.
If you're doing that only for documentation purposes, you could use a comment
instead.
- Kevin
-----Original Message-----
From: bind-users [mailto:[email protected]] On Behalf Of Michael
Weiser
Sent: Friday, November 18, 2016 12:32 PM
To: [email protected]
Subject: False positive on inscure zone update by IP?
Hi,
today I noticed the following log messages from my caching-only bind on
startup:
zone 'localhost' allows updates by IP address, which is insecure zone
'version.bind' allows updates by IP address, which is insecure zone
'hostname.bind' allows updates by IP address, which is insecure zone
'authors.bind' allows updates by IP address, which is insecure zone 'id.server'
allows updates by IP address, which is insecure
What's bugging me about those it that I have set allow-updates { none; } in the
global options section of my named.conf. Setting it on the localhost zone
explicitly doesn't change anything.
I've looked at the implementation of dns_acl_isinsecure() and got the
impression that there might simply be a check missing for special ACL "none".
So I wonder: Can I ignore these messages?
--
Thanks,
Michael
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
