Re: allow-query for a zone
Actually, I just realized a possible counterexample: if the zone is a subzone of another zone that the server hosts, the type of error depends on the strategy used. With the zone statement, the error will be REFUSED; without the zone statement, it will be SERVFAIL because of the lame delegation to itself. And if it's your caching server, and the zone is delegated elsewhere, depending upon whether the zone is configured as discussed (allow- query=none) or not configured at all, you are giving your clients a REFUSED or you are answering them with cached data. One possible way to implement policy, e.g. to make it less likely to reach known phishing sites. John Wobus Cornell ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
On Jan 17, 2012, at 3:44 AM, Matus UHLAR - fantomas wrote:
>>> Whether you set allow-query to none, or remove the zone statement,
>>> clients will get an error when they try to query the zone.
>
> On 17.01.12 14:13, Jeff Peng wrote:
>> There is a difference when you develop a web interface for DNS system.
>> A user can "pause" the domain from web interface, if we remove the zone and
>> records from BIND files, how will we do if user choose to enable the domain?
>
> simply: instead of adding "allow-notify {none;};" when user pauses a zone,
> you remove whole zone definition from the config file.
Or simply comment out the zone definition:
// example.com -- Zone stanza generated by WebUI
zone "example.com" {
type master;
file "/etc/namedb/example.com";
};
> When user unpauses, you will re-add the zone to bid config
// example.com -- Zone stanza generated by WebUI - paused.
//REMOVE_TO_UNPAUSE// zone "example.com" {
//REMOVE_TO_UNPAUSE//type master;
//REMOVE_TO_UNPAUSE//file "/etc/namedb/example.com";
//REMOVE_TO_UNPAUSE//};
>
>> But with allow-query none, only adding a statement we can "pause" the domain
>> for querying, but can re-enable it by removing this statement later.
>
> The zone can stay on disk, in database etc, even when "paused".
>
> You still need to edit the config file, so there's not big difference.
>
> There's one Barry mentioned: With allow-query_none anyone who queries will
> get REFUSED, when you remove the zone definition they'll get SERVFAIL or
> maybe NXDOMAIN
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Depression is merely anger without enthusiasm.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
Whether you set allow-query to none, or remove the zone statement,
clients will get an error when they try to query the zone.
On 17.01.12 14:13, Jeff Peng wrote:
There is a difference when you develop a web interface for DNS system.
A user can "pause" the domain from web interface, if we remove the
zone and records from BIND files, how will we do if user choose to
enable the domain?
simply: instead of adding "allow-notify {none;};" when user pauses a
zone, you remove whole zone definition from the config file. When user
unpauses, you will re-add the zone to bid config
But with allow-query none, only adding a statement we can "pause" the
domain for querying, but can re-enable it by removing this statement
later.
The zone can stay on disk, in database etc, even when "paused".
You still need to edit the config file, so there's not big difference.
There's one Barry mentioned: With allow-query_none anyone who queries
will get REFUSED, when you remove the zone definition they'll get
SERVFAIL or maybe NXDOMAIN
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
In article , Jeff Peng wrote: > > Whether you set allow-query to none, or remove the zone statement, > > clients will get an error when they try to query the zone. > > There is a difference when you develop a web interface for DNS system. > A user can "pause" the domain from web interface, if we remove the zone > and records from BIND files, how will we do if user choose to enable the > domain? > But with allow-query none, only adding a statement we can "pause" the > domain for querying, but can re-enable it by removing this statement later. You don't have to remove the records from the database managed by the web interface. It can still remember that the zone exists, it just doesn't put it into the named.conf. If you're using the named.conf file as the database, I can see your point, although you could still do it by commenting out the zone statement, with comment markers that the web application recognizes. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
Whether you set allow-query to none, or remove the zone statement, clients will get an error when they try to query the zone. There is a difference when you develop a web interface for DNS system. A user can "pause" the domain from web interface, if we remove the zone and records from BIND files, how will we do if user choose to enable the domain? But with allow-query none, only adding a statement we can "pause" the domain for querying, but can re-enable it by removing this statement later. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
In article , Jeff Peng wrote: > >> Well, my dns manage system (dnsbed.com) requires a "zone pause" feature. > >> > When user click the "pause" button, the zone should be stopped for > >> > resolving, but the config and records should be kept. > > How can you tell the difference? > > > what differenct do you mean? Whether you set allow-query to none, or remove the zone statement, clients will get an error when they try to query the zone. Actually, I just realized a possible counterexample: if the zone is a subzone of another zone that the server hosts, the type of error depends on the strategy used. With the zone statement, the error will be REFUSED; without the zone statement, it will be SERVFAIL because of the lame delegation to itself. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
Well, my dns manage system (dnsbed.com) requires a "zone pause" feature. > When user click the "pause" button, the zone should be stopped for > resolving, but the config and records should be kept. How can you tell the difference? what differenct do you mean? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
In article , Jeff Peng wrote: > äº 2012-1-17 1:58, Warren Kumari åé: > > Just out of interest, why wouldn't you just comment out the zone stanza? > > > > Would cut down on memory usage, load time, etc⦠> > > > I'm sure you have a use case, just a wondering⦠> > Well, my dns manage system (dnsbed.com) requires a "zone pause" feature. > When user click the "pause" button, the zone should be stopped for > resolving, but the config and records should be kept. How can you tell the difference? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
于 2012-1-17 1:58, Warren Kumari 写道: Just out of interest, why wouldn't you just comment out the zone stanza? Would cut down on memory usage, load time, etc… I'm sure you have a use case, just a wondering… Well, my dns manage system (dnsbed.com) requires a "zone pause" feature. When user click the "pause" button, the zone should be stopped for resolving, but the config and records should be kept. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
On Jan 16, 2012, at 1:50 AM, Jeff Peng wrote:
> Hi,
>
> If I just want to disable any client to query for a zone, but keep that zone
> in the config file (maybe later I will enable it to be accessable), can I
> just set:
Just out of interest, why wouldn't you just comment out the zone stanza?
Would cut down on memory usage, load time, etc…
I'm sure you have a use case, just a wondering…
W
>
> allow-query { none; };
>
> in the zone section?
>
> zone "example.com" {
> type master;
> file "example.com.db";
> allow-query { none; };
> };
>
> Thanks.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
---
Don't be impressed with unintelligible stuff said condescendingly .
-- Radia Perlman.
Warren Kumari
war...@kumari.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
On 16.01.12 14:50, Jeff Peng wrote:
If I just want to disable any client to query for a zone, but keep
that zone in the config file (maybe later I will enable it to be
accessable), can I just set:
allow-query { none; };
in the zone section?
afaik you can. According to docs, you can use allow-query in a zone and
there's no reason why none wouldn't be valid in allow-query statement.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
I would use
allow-query { 127.0.0.1; };
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
allow-query for a zone
Hi,
If I just want to disable any client to query for a zone, but keep that
zone in the config file (maybe later I will enable it to be accessable),
can I just set:
allow-query { none; };
in the zone section?
zone "example.com" {
type master;
file "example.com.db";
allow-query { none; };
};
Thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
