| Summary: | net-dns/bind: misleading warning message "zone 'x' allows updates by IP address, which is insecure" | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Michael Weiser <michael> |
| Component: | Current packages | Assignee: | Christian Ruppert (idl0r) <idl0r> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
upstream is aware of the problem: https://lists.isc.org/pipermail/bind-users/2016-November/098057.html. From the looks of upstream git this will be fixed in 9.11.1. |
Hi, the default configuration of current net-dns/bind contains the following directive in the options block: allow-update { /* Don't allow updates, e.g. via nsupdate. */ none; }; This causes a warning message for all builtin and configured zones: Nov 28 21:00:24 server named[4847]: zone 'version.bind' allows updates by IP address, which is insecure Nov 28 21:00:24 server named[4847]: zone 'hostname.bind' allows updates by IP address, which is insecure Nov 28 21:00:24 server named[4847]: zone 'authors.bind' allows updates by IP address, which is insecure Nov 28 21:00:24 server named[4847]: zone 'id.server' allows updates by IP address, which is insecure Commenting out that directive gets rid of the message. Functionality stays the same since "none" is the default for allow-update. From looking at the code it seems that a check for special case "none" is missing from that security check. Arguably this should be fixed upstream. See https://lists.isc.org/pipermail/bind-users/2016-November/098021.html for a first discussion with upstream. In the meantime: Should above default be provided as a commented block so people know it's the default but don't get confused by the misleading warning? Thanks, Michael