X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from ncopa-laptop (unknown [79.160.13.130])
	(using SSLv3 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: n@tanael.org)
	by mail.alpinelinux.org (Postfix) with ESMTPSA id DCB33DC0846;
	Thu, 16 Oct 2014 19:10:40 +0000 (UTC)
Date: Thu, 16 Oct 2014 21:10:37 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Hugo Landau <hlandau@devever.net>
Cc: alpine-devel@lists.alpinelinux.org
Subject: Re: [alpine-devel] [PATCH] bind: Modify default config to be more
 secure
Message-ID: <20141016211037.7cae786b@ncopa-laptop>
In-Reply-To: <1413474737-18941-1-git-send-email-hlandau@devever.net>
References: <1413474737-18941-1-git-send-email-hlandau@devever.net>
X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.23; x86_64-alpine-linux-musl)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Thu, 16 Oct 2014 16:52:17 +0100
Hugo Landau <hlandau@devever.net> wrote:

> By default BIND will happily serve as both an authoritative nameserver
> and recursive resolver, but this is no longer a recommended or desirable
> configuration. The previous default configuration did not draw attention
> to this fact and the issues involved.
> 
> Users are now made to rename one of two sample configuration files,
> named.conf.authoritative or named.conf.recursive. Comments inside either
> file advise DNS administrators of the most prevalent security issues.
> 
> This ensures that users setting up an authoritative nameserver do not
> unwittingly also operate a resolver. In the previous default
> configuration, BIND would happily perform recursive resolution for
> localhost, which means that the local machine may receive
> non-authoritative data from what is supposed to be an authoritative
> nameserver.
> 
> Both default configurations disable zone transfers by default, as BIND
> defaults to enabling them for any host (!).
> ---
>  main/bind/APKBUILD                 |  26 ++++++----
>  main/bind/named.conf               |  53 -------------------
>  main/bind/named.conf.authoritative |  56 ++++++++++++++++++++
>  main/bind/named.conf.recursive     | 104 +++++++++++++++++++++++++++++++++++++
>  main/bind/named.initd              |   2 +-
>  5 files changed, 177 insertions(+), 64 deletions(-)
>  delete mode 100644 main/bind/named.conf
>  create mode 100644 main/bind/named.conf.authoritative
>  create mode 100644 main/bind/named.conf.recursive

applied. Thanks!

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---