Consider removing the built-in "_bind" view from the default configuration
Time to stir up a hornet's nest!
The built-in _bind
view has been part of BIND 9 since version 9.3.0.
Its purpose is to service CHAOS class queries for the following zones:
version.bind
hostname.bind
id.server
authors.bind
I have some thoughts on these. YMMV.
-
version.bind
: commonly set tonone
or some nonsense string in production environments because it is believed to be a security hole🤷 [citation needed] -
hostname.bind
: superseded by NSID, I think? -
id.server
: same.
That leaves us with authors.bind
, which is a bit of a delicate topic.
I would not want to hurt anyone's feelings, so please just hear me out;
this issue is meant to be a place for discussion.
The primary problem I have with the _bind
view is that it is a
liability on memory-constrained platforms because its presence in the
default configuration causes a useless dns_resolver_t
object to be
unconditionally created upon named
startup. That is no small
object: it comes with tasks, dispatches, etc. - the ironic part being
that this view does not need recursion at all (recursion no;
does not
help). To the best of my knowledge, there is no way to disable creating
that view in the configuration file; it can only be replaced with a
different view, which does not prevent the memory use problem.
Other hiccups which this view has caused in the past (that I can
recall...) include making the default configuration vulnerable to a
security issue related to RRL, which is enabled for the _bind
view by
default (see CVE-2021-25218), or having to extend its configuration
to prevent it from uselessly allocating even more memory on startup (see
86698ded).
I have been running a home resolver with the _bind
view removed from
the source code for about a year and a half now and I have not noticed
any adverse effects caused by that modification.
I think we should consider removing the _bind
view from the default
configuration. It can always be re-enabled via explicit configuration,
if somebody wants that. In other words, I think it should be "opt-in"
rather than "opt-out" (noting that there is no way to actually opt-out
right now). I am not proposing to remove the code responsible for
preparing the contents of the authors.bind
zone or any other built-in
zone served by the _bind
view. It's just that IMHO the long-term
costs of maintaining this view in the default configuration are not
worth the benefits.
Let the tomatoes fly