Subject: Re: NetBSD Security Advisory 2006-022: BIND recursive query and SIG query processing
To: Ben Collver <collver@peak.org>
From: Daniel Carosone <dan@geek.com.au>
List: netbsd-users
Date: 09/22/2006 09:56:44
--W+nSBPrhyZdnT2dj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 21, 2006 at 02:54:43PM -0700, Ben Collver wrote:
> > options {
> >         directory "/etc/namedb";
> >         allow-recursion { 1.2.3.4/24; 127.0.0.1/32; ::1; };
> > };
>=20
> I tried this workaround on NetBSD 3.0 and named refused to stop..
>=20
> Sep 21 14:46:13 coldsteel named[24397]: /etc/named.conf:40: unknown optio=
n 'allow-recursion'

Oops. Sorry about that, and thanks for the heads up.. does anyone know
offhand what the equivalent older form of this option is, or was it
only introduced more recently?  If so, we should probably look at
upgrading 3.0's bind to include the ability to restrict this.  There
are plenty of other ways to get screwed without it (traffic
amplification attacks, at least).

--
Dan.
--W+nSBPrhyZdnT2dj
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)

iD8DBQFFEya7EAVxvV4N66cRAmXuAJ0dCAK0jEA3g5qUljAxOEAzf21psQCgzcwT
t74IhI8ifTXksY0rIFUayaY=
=kaAg
-----END PGP SIGNATURE-----

--W+nSBPrhyZdnT2dj--