Re: over-use of allow-transfer ?

In article <bb5oc8$21t4$1@xxxxxxxxxxx>, Beeblebrox <sl1433@xxxxxxxxxxx> wrote:
>Hello,
>
>Question: In the case shown below, is "allow-transfer" needed in the
>options area in named.conf?
>
>Details: In our named.conf file for bind 9, we have the directive
>allow-transfer used in the following locations:
>
>  1) at the top of named.conf in the "options" setting, after our acl
>list.  It contains the list of slave DNS servers at our colo;
>  2) within each zone entry for our "inside" view.  It contains the
>list of slave DNS servers at our HQ;
>  3) within each zone entry for our "outside" view.  It, too, contains
>the list of slave DNS servers at our colo;
>
>Is this overkill?  Maybe even a misconfiguration on our part?  I mean,
>I understand setting allow-transfer for each zone within each view,
>but do we need allow-transfer within the options area?  I don't want
>to remove it because, well, I don't want to break our DNS :)

Allow-transfer in the options area is used as a default for any zones that
don't have their own allow-transfer setting.  The per-zone setting
overrides the global setting.

>Does our configuration have the risk that outside slave DNS servers
>may be able to zone-transfer our *inside* zones?

I don't think so.  Assuming your inside view doesn't match the addresses at
the colo center, your inside zones should never be visible to them.
Allow-transfer is *not* used as part of the view determination mechanism,
only the addresses in the view's match setting.

-- 
Barry Margolin, barry.margolin@xxxxxxxxxx
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.