Mail archive
alpine-devel

Re: [alpine-devel] [PATCH] bind: Modify default config to be more secure

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Thu, 16 Oct 2014 21:10:37 +0200

On Thu, 16 Oct 2014 16:52:17 +0100
Hugo Landau <hlandau_at_devever.net> wrote:

> By default BIND will happily serve as both an authoritative nameserver
> and recursive resolver, but this is no longer a recommended or desirable
> configuration. The previous default configuration did not draw attention
> to this fact and the issues involved.
>
> Users are now made to rename one of two sample configuration files,
> named.conf.authoritative or named.conf.recursive. Comments inside either
> file advise DNS administrators of the most prevalent security issues.
>
> This ensures that users setting up an authoritative nameserver do not
> unwittingly also operate a resolver. In the previous default
> configuration, BIND would happily perform recursive resolution for
> localhost, which means that the local machine may receive
> non-authoritative data from what is supposed to be an authoritative
> nameserver.
>
> Both default configurations disable zone transfers by default, as BIND
> defaults to enabling them for any host (!).
> ---
> main/bind/APKBUILD | 26 ++++++----
> main/bind/named.conf | 53 -------------------
> main/bind/named.conf.authoritative | 56 ++++++++++++++++++++
> main/bind/named.conf.recursive | 104 +++++++++++++++++++++++++++++++++++++
> main/bind/named.initd | 2 +-
> 5 files changed, 177 insertions(+), 64 deletions(-)
> delete mode 100644 main/bind/named.conf
> create mode 100644 main/bind/named.conf.authoritative
> create mode 100644 main/bind/named.conf.recursive

applied. Thanks!

-nc


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu Oct 16 2014 - 21:10:37 GMT