> On Mar 14, 2022, at 5:11 PM, Philip Prindeville 
> <philipp_s...@redfish-solutions.com> wrote:
>> On Mar 14, 2022, at 4:25 PM, Tony Finch <f...@isc.org> wrote:
>> Philip Prindeville <philipp_s...@redfish-solutions.com> wrote:
>>> But I've noticed that since I added the following to my options { }:
>>>       allow-transfer { none; };
>>>       dnssec-validation auto;
>>>       listen-on-v6 { none; };
>>> That I get a *lot* of lines like:
>>> ; Communication with ::1#53 failed: connection refused
>> "Doctor it hurts when I do this!"
>> When you use `nsupdate -l` you are using a hard-coded configuration, that
>> uses a compiled-in path to the session key and fixed IPv4 and IPv6
>> localhost addresses.
>> If that doesn't fit your setup then you need to adjust the command-line
>> options for `nsupdate`.
>> I think for your purposes it would be best to add an environment variable
>> for the nsupdate options, so that the admin can set the variable to
>> contain different options if bare -l doesn't fit their needs. So if in
>> some fit of self-harm they have turned off IPv6, they can add -4 to the
>> variable, or they can get more creative with the -k option. (Sadly you
>> have to set the server address in the update script, not on the command
>> line.)
> I'm operating on a residential ILEC that hasn't deployed IPv6, so turning off 
> IPv6 isn't "self-harm", it's what cyber security professionals refer to as 
> "reducing attack surface".
> There's no benefit in my situation to listening on IPv6 sockets, and it only 
> provides a potential exploit for hackers.
> There's no "admin" in my case, this is startup scripting on an embedded 
> device (a firewall router).
> I could grep for the explicit string "listen-on-v6 { none; };" but I'd need 
> to isolate that in the "options { } " section, make sure it's not commented 
> out, handle multi-line and whitespace processing, handle "include" 
> processing, etc.
> In short, it's non-trivial.
> I was hoping that there's a trivial way to parse the named.conf file and 
> figure out what it listens on for updates using a Bind utility, but I guess 
> not...
> -Philip

Actually, the canonicalization and include processing is handled by 
"named-checkconf -px" ... though I'm not sure why it generates two spaces 
between "listen-on-v6" and "{"...

The rest can be handled by a multiline PerlRE I guess.

Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list

Reply via email to