Name Server Operations Guide for BIND Release 4.9.5 : Files : About ``secure zones''
Previous: Discussion about the TTL
Next: About Hesiod, and HS-class Resource Records

6.7. About ``secure zones''

Secure zones implement named security on a zone by zone basis. It is designed to use a permission list of networks or hosts which may obtain particular information from the zone.

In order to use zone security, named must be compiled with SECURE_ZONES defined and you must have at least one secure_zone TXT RR. Unless a secure_zone record exists for a given zone, no restrictions will be applied to the data in that zone. The format of the secure_zone TXT RR is:

secure_zone	addr-class	TXT	string

The addr-class may be either HS or IN. The syntax for the TXT string is either ``network address:netmask'' or ``host IP address:H''.

``network address:netmask'' allows queries from an entire network. If the netmask is omitted, named will use the default netmask for the network address specified.

``host IP address:H'' allows queries from a host. The ``H'' after the ``:'' is required to differentiate the host address from a network address. Multiple secure_zone TXT RRs are allowed in the same zone file.

For example, you can set up a zone to only answer Hesiod requests from the masked class B network 130.215.0.0 and from host 128.23.10.56 by adding the following two TXT RR's:

secure_zone	HS	TXT	``130.215.0.0:255.255.0.0''
secure_zone	HS	TXT	``128.23.10.56:H''

This feature can be used to restrict access to a Hesiod password map or to separate internal and external internet address resolution on a firewall machine without needing to run a separate named for internal and external address resolution.

Note that you will need to include your loopback interface (127.0.0.1) in your secure_zone record, or your local clients won't be able to resolve names.


Name Server Operations Guide for BIND Release 4.9.5 : Files : About ``secure zones''
Previous: Discussion about the TTL
Next: About Hesiod, and HS-class Resource Records