> On Mar 14, 2022, at 4:25 PM, Tony Finch <f...@isc.org> wrote:
>
> Philip Prindeville <philipp_s...@redfish-solutions.com> wrote:
>>
>> But I've noticed that since I added the following to my options { }:
>>
>> allow-transfer { none; };
>> dnssec-validation auto;
>> listen-on-v6 { none; };
>>
>> That I get a *lot* of lines like:
>>
>> ; Communication with ::1#53 failed: connection refused
>
> "Doctor it hurts when I do this!"
>
> When you use `nsupdate -l` you are using a hard-coded configuration, that
> uses a compiled-in path to the session key and fixed IPv4 and IPv6
> localhost addresses.
>
> If that doesn't fit your setup then you need to adjust the command-line
> options for `nsupdate`.
>
> I think for your purposes it would be best to add an environment variable
> for the nsupdate options, so that the admin can set the variable to
> contain different options if bare -l doesn't fit their needs. So if in
> some fit of self-harm they have turned off IPv6, they can add -4 to the
> variable, or they can get more creative with the -k option. (Sadly you
> have to set the server address in the update script, not on the command
> line.)
I'm operating on a residential ILEC that hasn't deployed IPv6, so turning off
IPv6 isn't "self-harm", it's what cyber security professionals refer to as
"reducing attack surface".
There's no benefit in my situation to listening on IPv6 sockets, and it only
provides a potential exploit for hackers.
There's no "admin" in my case, this is startup scripting on an embedded device
(a firewall router).
I could grep for the explicit string "listen-on-v6 { none; };" but I'd need to
isolate that in the "options { } " section, make sure it's not commented out,
handle multi-line and whitespace processing, handle "include" processing, etc.
In short, it's non-trivial.
I was hoping that there's a trivial way to parse the named.conf file and figure
out what it listens on for updates using a Bind utility, but I guess not...
-Philip
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
