Bug#514640: bind9: changed ACL defaults
Package: release-notes
I suggest the following for inclusion in the release notes:
By default, BIND no longer serves recursive queries to external
hosts, only to localhost and RFC 1918 private address space. To
restore the previous behavior, add allow-query-cache and
allow-recursion statements to the /etc/bind/named.conf.options file.
BIND 8 has been removed.
This is based on the following NEWS item from the bind9 package. You
could also use that instead.
bind9 (1:9.4.0-1) experimental; urgency=low
As of bind 9.4, allow-query-cache and allow-recursion default to the
builtin acls 'localnets' and 'localhost'. If you are setting up a
name server for a network, you will almost certainly need to change
this.
The change in default has been done to make caching servers less
attractive as reflective amplifying targets for spoofed traffic.
This still leaves authoritative servers exposed.
The best fix is for full BCP 38 deployment to remove spoofed traffic.
-- LaMont Jones <lamont@debian.org> Wed, 03 Oct 2007 00:52:44 -0600
Reply to: