[Pdns-dev] Re: BIND backend support for allow-query in named.conf

Brendan Oakley gentux2 at gmail.com
Fri Sep 5 16:44:48 CEST 2008

Hi Bert,

I'm posting again just in case you missed it before.

I wrote a small patch and attached it to ticket #166
(http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/166), and recently
updated it.

It adds support to the BIND backend for the 'allow-query' directive on
a zone. It mimics the behavior of BIND, where you can specify a list
of IP ranges which are allowed to query a zone, so that it will not
answer queries from an IP not on the list, but return SERVFAIL.

This is a requirement on our site because our authoritative
nameservers serve zones which are publicly visible, as well as zones
for our use which contain data we want to keep hidden from the

The first iteration of it would cause a zone master to raise a signal
11 because it would try to check the source IP on "internal" lookups
of the NS records when preparing to issue notifies, and internal
lookups have no source IP. This is why I updated it, so it skips the
check on internal lookups. We have been running this in production for
about a year now, and apart from this it has performed quite well.
We've had no crashes or problems at all in the past month since I
updated it.

I submitted this back because it seems an enhancement that might be
useful to others, and does not seem to add any significant overhead.
It is a careful and clean patch, and now thoroughly tested. My intent
is to contribute back to what I consider a great piece of software, so
my question is what more can I do to see this reviewed and considered
for possible inclusion.


More information about the Pdns-dev mailing list