Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601118 - net-dns/bind: misleading warning message "zone 'x' allows updates by IP address, which is insecure"
Summary: net-dns/bind: misleading warning message "zone 'x' allows updates by IP addre...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Christian Ruppert (idl0r)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-28 20:10 UTC by Michael Weiser
Modified: 2017-02-15 14:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Weiser 2016-11-28 20:10:55 UTC
Hi,

the default configuration of current net-dns/bind contains the following directive in the options block:

        allow-update {
                /* Don't allow updates, e.g. via nsupdate. */
                none;
        };

This causes a warning message for all builtin and configured zones:

Nov 28 21:00:24 server named[4847]: zone 'version.bind' allows updates by IP address, which is insecure
Nov 28 21:00:24 server named[4847]: zone 'hostname.bind' allows updates by IP address, which is insecure
Nov 28 21:00:24 server named[4847]: zone 'authors.bind' allows updates by IP address, which is insecure
Nov 28 21:00:24 server named[4847]: zone 'id.server' allows updates by IP address, which is insecure

Commenting out that directive gets rid of the message. Functionality stays the same since "none" is the default for allow-update.

From looking at the code it seems that a check for special case "none" is missing from that security check. Arguably this should be fixed upstream. See https://lists.isc.org/pipermail/bind-users/2016-November/098021.html for a first discussion with upstream.

In the meantime: Should above default be provided as a commented block so people know it's the default but don't get confused by the misleading warning?

Thanks,
Michael
Comment 1 Michael Weiser 2016-11-28 21:07:12 UTC
upstream is aware of the problem: https://lists.isc.org/pipermail/bind-users/2016-November/098057.html.
Comment 2 Michael Weiser 2017-02-15 14:52:51 UTC
From the looks of upstream git this will be fixed in 9.11.1.