Bug 740894
Summary: | Recursion disabled and bogos | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Renich Bon Ciric <renich> |
Component: | bind | Assignee: | Tomáš Hozza <thozza> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | atu, ovasik, wolfgang.rupprecht |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-03 08:54:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Renich Bon Ciric
2011-09-23 17:02:30 UTC
In my opinion our default named.conf configuration is secure enough. 1. named listens only on 127.0.0.1:53 and ::1:53 2. DNSSEC validation is enabled 3. queries are accepted only from localhost This is enough for small or medium servers which aren't exposed on the Internet. If the server is exposed on the Internet you are right our default configuration is not sufficient. However configuration of big server needs experienced admin and fine-tuning of various options and I would rather keep default named.conf clean and readable. What is your opinion about this? (In reply to comment #1) > In my opinion our default named.conf configuration is secure enough. > > 1. named listens only on 127.0.0.1:53 and ::1:53 > 2. DNSSEC validation is enabled > 3. queries are accepted only from localhost > > This is enough for small or medium servers which aren't exposed on the > Internet. > > If the server is exposed on the Internet you are right our default > configuration is not sufficient. However configuration of big server needs > experienced admin and fine-tuning of various options and I would rather keep > default named.conf clean and readable. > > What is your opinion about this? Thank you for replying. I partly agree with you. If the configuration is to be local, IMHO, there is no need for DNSSEC. Specially if queries are accepted from localhost only; which would convert it into a caching only installation. Usually, newbies, would just remove the localhost constraints configured in the server and start using it. These servers would be, immediately, exposed if they allow recursion. Switch.ch has complained. CloudSigma has, already, complained about this and I am sure this is the case for most of the ISPs that allow full control of your server. I think we could help prevent this a little if we offer a mid-point configuration; with remote and local views; disabling recursion for remotes. A small/medium company would, definitely, benefit from an internet-ready configuration so they could start using it immediately. I think we could offer a much better configuration; as I mentioned you earlier. I'd like to offer a simple example, if I may, for you to evaluate. If not in substituting the original configuration, offering an example in /usr/share/docs/bind-X/named.conf.example or something like that. I'll get back to you with this example today or tomorrow. Some examples of improvement would be: - setting up a local and remote views by default; with recursion disabled for remotes. - using the /etc/dhcp directory to store master and slave configurations there (include /etc/named/{master,slave}.zones) so we keep the main config clean. - some script to renew/regenerate the host key (and automatic inclusion o fit too. - set up a blackhole. I'd like you to consider this and, also, ask you to look at mandriva's configuration; which, IMHO, would be a good place to start. Also, the references I, already, pointed you at. I say all this with respect for what mainstream offers and what Fedora offers. I am just looking for an opportunity to improve. I could help you with these; if I may ;=) This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Hi. I agree with Adam about that our default named.conf is secure and simple enough. I would rather include some Warning message in it to prevent people from configuring their bind instance as a public recursive server. I think something like mentioned in Bug #952311 comment #1 would do the right job. *** Bug 929336 has been marked as a duplicate of this bug. *** (In reply to comment #5) > Hi. > > I agree with Adam about that our default named.conf is secure and simple > enough. I would rather include some Warning message in it to prevent people > from configuring their bind instance as a public recursive server. > > I think something like mentioned in Bug #952311 comment #1 would do the > right job. Yeah, that seems helpful. Can we provide sample configs like black-hole and stuff like that? Here's a sample: https://github.com/renich/fedora-configs/blob/bind/etc/named.conf This one required to mount /dev/null into the chroot. Not really aware of how this works with systemd and containers though... I checked out the /usr/libexec/setup-named-chroot.sh and couldn't find /dev/null anywhere... but systemd mounts it anyway so... I mention all this because, back in SysV, I had to modify the init file (or was it /etc/sysconfig/named?) in order to add /ev/null. So, those are my two cents. I believe a more complete configuration for bind will help users get around it's configuration. Maybe if examples are provided or a README.Fedora? I dunno; it's up to you. Thank you for the attention. (In reply to comment #7) > (In reply to comment #5) > > Hi. > > > > I agree with Adam about that our default named.conf is secure and simple > > enough. I would rather include some Warning message in it to prevent people > > from configuring their bind instance as a public recursive server. > > > > I think something like mentioned in Bug #952311 comment #1 would do the > > right job. > > Yeah, that seems helpful. Can we provide sample configs like black-hole and > stuff like that? > > Here's a sample: > > https://github.com/renich/fedora-configs/blob/bind/etc/named.conf > > This one required to mount /dev/null into the chroot. Not really aware of > how this works with systemd and containers though... > > I checked out the /usr/libexec/setup-named-chroot.sh and couldn't find > /dev/null anywhere... but systemd mounts it anyway so... > > I mention all this because, back in SysV, I had to modify the init file (or > was it /etc/sysconfig/named?) in order to add /ev/null. > > So, those are my two cents. I believe a more complete configuration for bind > will help users get around it's configuration. > > Maybe if examples are provided or a README.Fedora? I dunno; it's up to you. > > Thank you for the attention. I appreciate your ideas and passion to improve our bind configurations. However we already provide a "sample" configuration located in /usr/share/doc/bind-9.9.x/sample/etc/named.conf with a lot of comments and some samples how to do things. I would rather not complicate thing and let bind users/admins choose what fits best their needs. I think It is better to read BIND Administrator's Reference Manual and understand possible options than just use some sample and complicated configuration out-of-the-box. Thank you for your understanding. bind-9.9.3-0.6.rc2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/bind-9.9.3-0.6.rc2.fc19 I understand. Thank you for your patience. It's just that I hate Mandriva/Mageia users that claim that their configuration is 'just ready' while ours isn't... Feel free to close the bug (or let koji/bodhi do it, hehe). Thanks! bind-9.9.3-0.6.rc2.fc19, dhcp-4.2.5-12.fc19, bind-dyndb-ldap-3.2-1.fc19, dnsperf-2.0.0.0-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |