Mageia Bugzilla – Attachment 1309 Details for
Bug 3379
Security update for bind for CVE-2011-4313
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
named.conf
named.conf (text/plain), 4.76 KB, created by
Dave Hodgins
on 2011-12-30 21:46:51 CET
(
hide
)
Description:
named.conf
Filename:
MIME Type:
Creator:
Dave Hodgins
Created:
2011-12-30 21:46:51 CET
Size:
4.76 KB
patch
obsolete
>// (oe) Loosely based on the document below and from production server configurations. >// http://www.cymru.com/Documents/secure-bind-template.html >// >// $Id: named.conf 329224 2009-01-13 22:33:01Z oden $ >// $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/bind/current/SOURCES/named.conf $ > > >// secret must be the same as in /etc/rndc.conf >include "/etc/rndc.key"; > >controls { > inet 127.0.0.1 port 953 > allow { 127.0.0.1; } keys { mykey; }; >}; > >// Access lists (ACL's) should be defined here >include "/etc/bogon_acl.conf"; >include "/etc/trusted_networks_acl.conf"; > >// Define logging channels >include "/etc/logging.conf"; > >// Enable statistics at http://127.0.0.1:5380/ >statistics-channels { > inet 127.0.0.1 port 5380 allow { 127.0.0.1; }; >}; > >options { >// recursion yes; > version ""; > directory "/var/named"; > dump-file "/var/tmp/named_dump.db"; > pid-file "/var/run/named.pid"; > statistics-file "/var/tmp/named.stats"; > zone-statistics yes; >// datasize 256M; > coresize 100M; >// fetch-glue no; >// recursion no; >// recursive-clients 10000; > auth-nxdomain yes; > query-source address * port *; > listen-on port 53 { any; }; > cleaning-interval 120; > transfers-in 20; > transfers-per-ns 2; > lame-ttl 0; > max-ncache-ttl 10800; > >// forwarders { first_public_nameserver_ip; second_public_nameserver_ip; }; > >// allow-update { none; }; >// allow-transfer { any; }; > >// Prevent DoS attacks by generating bogus zone transfer >// requests. This will result in slower updates to the >// slave servers (e.g. they will await the poll interval >// before checking for updates). > notify no; >// notify explicit; >// also-notify { secondary_name_server }; > >// Generate more efficient zone transfers. This will place >// multiple DNS records in a DNS message, instead of one per >// DNS message. > transfer-format many-answers; > >// Set the maximum zone transfer time to something more >// reasonable. In this case, we state that any zone transfer >// that takes longer than 60 minutes is unlikely to ever >// complete. WARNING: If you have very large zone files, >// adjust this to fit your requirements. > max-transfer-time-in 60; > >// We have no dynamic interfaces, so BIND shouldn't need to >// poll for interface state {UP|DOWN}. > interface-interval 0; > >// Uncoment these to enable IPv6 connections support >// IPv4 will still work > listen-on { none; }; > listen-on-v6 { any; }; > >// allow-query { trusted_networks; }; > allow-recursion { trusted_networks; }; > >// Deny anything from the bogon networks as >// detailed in the "bogon" ACL. > blackhole { bogon; }; > dnssec-enable no; > dnssec-validation yes; >// dnssec-lookaside . trust-anchor dlv.isc.org.; > dnssec-lookaside . trust-anchor dlv.isc.org.; >}; > >// workaround stupid stuff... (OE: Wed 17 Sep 2003) >zone "ac" { type delegation-only; }; >zone "cc" { type delegation-only; }; >zone "com" { type delegation-only; }; >zone "cx" { type delegation-only; }; >zone "lv" { type delegation-only; }; >zone "museum" { type delegation-only; }; >zone "net" { type delegation-only; }; >zone "nu" { type delegation-only; }; >zone "ph" { type delegation-only; }; >zone "sh" { type delegation-only; }; >zone "tm" { type delegation-only; }; >zone "ws" { type delegation-only; }; > >zone "." IN { > type hint; > file "named.ca"; >}; > >zone "localdomain" IN { > type master; > file "master/localdomain.zone"; > allow-update { none; }; >}; > >zone "localhost" IN { > type master; > file "master/localhost.zone"; > allow-update { none; }; >}; > >zone "0.0.127.in-addr.arpa" IN { > type master; > file "reverse/named.local"; > allow-update { none; }; >}; > >zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { > type master; > file "reverse/named.ip6.local"; > allow-update { none; }; >}; > >zone "255.in-addr.arpa" IN { > type master; > file "reverse/named.broadcast"; > allow-update { none; }; >}; > >zone "0.in-addr.arpa" IN { > type master; > file "reverse/named.zero"; > allow-update { none; }; >}; >managed-keys { > "." initial-key 257 3 8 > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq > QxA+Uk1ihz0="; >}; >include "/etc/adblock.conf"; >trusted-keys { > dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh"; > };
// (oe) Loosely based on the document below and from production server configurations. // http://www.cymru.com/Documents/secure-bind-template.html // // $Id: named.conf 329224 2009-01-13 22:33:01Z oden $ // $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/bind/current/SOURCES/named.conf $ // secret must be the same as in /etc/rndc.conf include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { mykey; }; }; // Access lists (ACL's) should be defined here include "/etc/bogon_acl.conf"; include "/etc/trusted_networks_acl.conf"; // Define logging channels include "/etc/logging.conf"; // Enable statistics at http://127.0.0.1:5380/ statistics-channels { inet 127.0.0.1 port 5380 allow { 127.0.0.1; }; }; options { // recursion yes; version ""; directory "/var/named"; dump-file "/var/tmp/named_dump.db"; pid-file "/var/run/named.pid"; statistics-file "/var/tmp/named.stats"; zone-statistics yes; // datasize 256M; coresize 100M; // fetch-glue no; // recursion no; // recursive-clients 10000; auth-nxdomain yes; query-source address * port *; listen-on port 53 { any; }; cleaning-interval 120; transfers-in 20; transfers-per-ns 2; lame-ttl 0; max-ncache-ttl 10800; // forwarders { first_public_nameserver_ip; second_public_nameserver_ip; }; // allow-update { none; }; // allow-transfer { any; }; // Prevent DoS attacks by generating bogus zone transfer // requests. This will result in slower updates to the // slave servers (e.g. they will await the poll interval // before checking for updates). notify no; // notify explicit; // also-notify { secondary_name_server }; // Generate more efficient zone transfers. This will place // multiple DNS records in a DNS message, instead of one per // DNS message. transfer-format many-answers; // Set the maximum zone transfer time to something more // reasonable. In this case, we state that any zone transfer // that takes longer than 60 minutes is unlikely to ever // complete. WARNING: If you have very large zone files, // adjust this to fit your requirements. max-transfer-time-in 60; // We have no dynamic interfaces, so BIND shouldn't need to // poll for interface state {UP|DOWN}. interface-interval 0; // Uncoment these to enable IPv6 connections support // IPv4 will still work listen-on { none; }; listen-on-v6 { any; }; // allow-query { trusted_networks; }; allow-recursion { trusted_networks; }; // Deny anything from the bogon networks as // detailed in the "bogon" ACL. blackhole { bogon; }; dnssec-enable no; dnssec-validation yes; // dnssec-lookaside . trust-anchor dlv.isc.org.; dnssec-lookaside . trust-anchor dlv.isc.org.; }; // workaround stupid stuff... (OE: Wed 17 Sep 2003) zone "ac" { type delegation-only; }; zone "cc" { type delegation-only; }; zone "com" { type delegation-only; }; zone "cx" { type delegation-only; }; zone "lv" { type delegation-only; }; zone "museum" { type delegation-only; }; zone "net" { type delegation-only; }; zone "nu" { type delegation-only; }; zone "ph" { type delegation-only; }; zone "sh" { type delegation-only; }; zone "tm" { type delegation-only; }; zone "ws" { type delegation-only; }; zone "." IN { type hint; file "named.ca"; }; zone "localdomain" IN { type master; file "master/localdomain.zone"; allow-update { none; }; }; zone "localhost" IN { type master; file "master/localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "reverse/named.local"; allow-update { none; }; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "reverse/named.ip6.local"; allow-update { none; }; }; zone "255.in-addr.arpa" IN { type master; file "reverse/named.broadcast"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "reverse/named.zero"; allow-update { none; }; }; managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; }; include "/etc/adblock.conf"; trusted-keys { dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh"; };
View Attachment As Raw
Actions:
View
Attachments on
bug 3379
:
1308
| 1309 |
1310
|
1311
|
1312