Bug#514640: bind9: changed ACL defaults

To: submit@bugs.debian.org
Subject: Bug#514640: bind9: changed ACL defaults
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 09 Feb 2009 19:48:08 +0100
Message-id: <[🔎] 87tz73ih07.fsf@mid.deneb.enyo.de>
Reply-to: Florian Weimer <fw@deneb.enyo.de>, 514640@bugs.debian.org

Package: release-notes

I suggest the following for inclusion in the release notes:

  By default, BIND no longer serves recursive queries to external
  hosts, only to localhost and RFC 1918 private address space.  To
  restore the previous behavior, add allow-query-cache and
  allow-recursion statements to the /etc/bind/named.conf.options file.

  BIND 8 has been removed.

This is based on the following NEWS item from the bind9 package.  You
could also use that instead.

bind9 (1:9.4.0-1) experimental; urgency=low

  As of bind 9.4, allow-query-cache and allow-recursion default to the
  builtin acls 'localnets' and 'localhost'.  If you are setting up a
  name server for a network, you will almost certainly need to change
  this.

  The change in default has been done to make caching servers less
  attractive as reflective amplifying targets for spoofed traffic.
  This still leaves authoritative servers exposed.

  The best fix is for full BCP 38 deployment to remove spoofed traffic.

 -- LaMont Jones <lamont@debian.org>  Wed, 03 Oct 2007 00:52:44 -0600

Reply to:

Prev by Date: Bug#514198: marked as done ([release-notes] Lenny won't include KDE 3.5.10)
Next by Date: Bug#514198: [release-notes] Lenny won't include KDE 3.5.10
Previous by thread: Processed: Re: Bug#514631: Debian 5 release notes
Next by thread: howto translate debian reference
Index(es):
- Date
- Thread