Re: Securing bind..
<quote who="Michael D. Schleif">
>
> jernej horvat wrote:
> ``Zone transfers are an archaic alternative mechanism for copying
> DNS information. Instead of immediately sending new data to the
> slaves, you run a zone-transfer service that accepts periodic
> connections from the slaves; your users complain while they're
> waiting for the slaves to check for new data. The zone-transfer
i may be missing the point here, but in BIND 8 the
'also-notify' command combined with notify yes option
for me insures instantaneous transfers to all the
slave servers. at my company i have 1 master and
about 7 slave nameservers spread accross the various
offices/regions, after i added the also-notify options
with the ips of the slave nameservers zone transfers
were immediate. before adding the also-notify bind
only notified one or 2 of the nameservers in the
allow-transfer ACL.
works extremely well. now this does NOT work in
some cases where you may have an ISP slave off
of you, some systems only do zone transfers
at specific times but that is a administrative
decision(probably a good one for the larger
isps). if you control both master and slave
though its quite possible.
i restrict zone transfers because there is no
need for anyone other then the slave nameservers
to do a zone transfer. that and a couple years
ago there was a DOS against bind 8 that could
be triggered by hosts that were able to do
a zone transfer(this is long fixed of course..).
nate
Reply to: