Bug#514640: bind9: changed ACL defaults

To: bind9@packages.debian.org
Cc: Florian Weimer <fw@deneb.enyo.de>, 514640@bugs.debian.org
Subject: Bug#514640: bind9: changed ACL defaults
From: Nicolas François <nicolas.francois@centraliens.net>
Date: Sat, 22 Aug 2009 23:28:16 +0200
Message-id: <[🔎] 20090822212816.GA13825@nekral.nekral.homelinux.net>
Reply-to: Nicolas François <nicolas.francois@centraliens.net>, 514640@bugs.debian.org
In-reply-to: <87tz73ih07.fsf@mid.deneb.enyo.de>
References: <87tz73ih07.fsf@mid.deneb.enyo.de>

Dear bind9 maintainers,

The following bug was reported for the release notes.
Could you review the attached patch, and indicate if it's correct and
appropriate for the release notes.

On Mon, Feb 09, 2009 at 07:48:08PM +0100, Florian Weimer wrote:
> Package: release-notes
> 
> I suggest the following for inclusion in the release notes:
> 
>   By default, BIND no longer serves recursive queries to external
>   hosts, only to localhost and RFC 1918 private address space.  To
>   restore the previous behavior, add allow-query-cache and
>   allow-recursion statements to the /etc/bind/named.conf.options file.
> 
>   BIND 8 has been removed.
> 
> This is based on the following NEWS item from the bind9 package.  You
> could also use that instead.
> 
> bind9 (1:9.4.0-1) experimental; urgency=low
> 
>   As of bind 9.4, allow-query-cache and allow-recursion default to the
>   builtin acls 'localnets' and 'localhost'.  If you are setting up a
>   name server for a network, you will almost certainly need to change
>   this.
> 
>   The change in default has been done to make caching servers less
>   attractive as reflective amplifying targets for spoofed traffic.
>   This still leaves authoritative servers exposed.
> 
>   The best fix is for full BCP 38 deployment to remove spoofed traffic.
> 
>  -- LaMont Jones <lamont@debian.org>  Wed, 03 Oct 2007 00:52:44 -0600

Thanks in advance,
-- 
Nekral

Index: en/issues.dbk
===================================================================
--- en/issues.dbk	(révision 6882)
+++ en/issues.dbk	(copie de travail)
@@ -612,4 +628,18 @@
     for more information.
   </para>
 </section>
+
+<section>
+  <title>Upgrading <systemitem role="package">bind9</systemitem></title>
+  <para>
+    By default, BIND no longer serves recursive queries to external
+    hosts, only to localhost and RFC 1918 private address space.
+  </para>
+  <para>
+    To restore the previous behavior, add
+    <option>allow-query-cache</option> and
+    <option>allow-recursion</option> statements to the
+    <filename>/etc/bind/named.conf.options</filename> file.
+  </para>
+</section>
 </chapter>

Reply to:

Prev by Date: Processed: tagging 514640
Next by Date: Bug#443459: release-notes: With beginning of Lenny /etc/debian_version will be touched with every point release
Previous by thread: Processed: tagging 514640
Next by thread: Bug#443459: release-notes: With beginning of Lenny /etc/debian_version will be touched with every point release
Index(es):
- Date
- Thread