Lawrence MacIntyre wrote:
Hi:
I have a name server running named on a closed network. The root
servers name my node and another node (running DNS on a sidewinder
firewall) as authoritative for our domain as well as several
subdomains. Two of the subdomains have their own servers, and we
configured our (allegedly authoritative) servers as slaves to the
subdomain servers. This worked well for several years. Now, these
subdomains have decided (for "security" reasons) that they are going
to disallow zone transfers to us. So we set our servers to forward
requests to the subdomain nameservers. The sidewinder does this, but
our server doesn't. It simply reports that it has no information about
any node in the subdomain. Remote users report that when they use dig
+trace @ourserver node.in.subdomain, they see referrals to the
Internet root servers. Our hints file has the correct root servers,
and we don't even have a file listing the Internet root servers. I
cannot verify their claims, as it doesn't do that when queried from
our site, and I have no access to an account on any remote site.
What does named do when it is listed as authoritative for a domain by
the root servers, but is configured to forward requests for addresses
in that domain? Does anyone know how the remote users could see
referrals to the Internet root servers even though we have the correct
root servers set in our nameserver?
I started a long tirade about clueless admins who take the mantra "zone
transfers are insecure" way too far, but I think the more terse and
level-headed response is
a) BIND will never recurse a non-recursive query, and non-recursive
queries is what it gets when arbitrary resolvers query yours as a result
of following the resolution of the query down the delegation chain (e.g.
what one sees in dig +trace)
b) if you want to recurse a query that wasn't recursive to begin with, I
think this falls under the generic heading of "proxying DNS". BIND
doesn't support that, but I'm presuming that's what the Sidewinder is doing,
c) in architectural terms, you simply *cannot* be "authoritative" for a
zone if you don't replicate the full contents of the zone, either
in-protocol (AXFR/IXFR) or via some "out-of-band" mechanism (e.g. rsync),
d) are these subdomains being hosted on BIND or something that supports
TSIG? Perhaps offering to TSIG-authenticate your zone transfers might
satisfy their security requirements...
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
