DNS recursion bigfix doesn't fix anything (and 'unfixes' fixed configs)

[breun]

The Plesk 8.1.0 release notes say:

9. DNS recursion bugfix

DNS recursion option allows only localnet recursion by default.

While this is a good thing, I believe the bugfix is pretty buggy, because the upgrade to 8.1.0 put the following in my /etc/named.conf:

allow-recursion {
                any;
        };

Testing with http://www.kloth.net/services/nslookup.php for instance shows BIND allows recursion. I changed any to 127.0.0.1 and things are fine after restarting named.

Are other people seeing this too? I've done two upgrades to 8.1.0 so far and both boxes had allow-recursion set to any afterwards. Even if it was set to 127.0.0.1 before starting the upgrade, so the 'fix' actually 'unfixed' my configuration!

 

[nb__]

My Fedora Core 4's named have a correct settings according to release notes. Your OS, dude?

 

[breun]

CentOS 4 on the first box, Fedora Core 3 on the second. Both ended up with 'allow-recursion { any };' in /etc/named.conf after the upgrade. What is the exact allow-recursion statement that the upgrade put in your config?

 

[ItMan]

For 8.0.1 Add all to named.conf


You can fix it manually:

named.conf.include.plesk-options

        allow-recursion {
                localnets;
        };

 

[breun]

I understand I can fix this manually, but I shouldn't have to. And the update to Plesk 8.1.0 should definitely not change my config to allow recursion to any host!

 

[breun]

By the way, BIND would be even more secure if Plesk would set both allow-recursion and allow-query to localnets and all zones would explicitly allow-query to any. See http://archive.cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00170.html for an explanation why (hosts that are not able to use recursion still get answers for cached DNS entries).

 

[ItMan]

Originally posted by breun
I understand I can fix this manually, but I shouldn't have to. And the update to Plesk 8.1.0 should definitely not change my config to allow recursion to any host!

It is not critical, just worse that:

listen-on       {127.0.0.1;}

 

[breun]

What do you mean exactly? I don't have listen-on { 127.0.0.1; } in my named.conf.

 

[ItMan]

After Update i have:
* recursion fixed
* but fixed listen-on, that bind didn't work at all.

sorry for my bad English =(