acl controls

Yanek Korff yanek at cigital.com
Mon Oct 29 22:06:48 UTC 2001 

As I thought.  I will notify the DNS admins at the ISP about the crack they
must recently have taken.

-Yanek.

> -----Original Message-----
> From: Kevin Darcy [mailto:kcd at daimlerchrysler.com]
> Sent: Monday, October 29, 2001 4:44 PM
> To: 'bind-users at isc.org'
> Subject: Re: acl controls
> 
> 
> 
> No, this is a really bad idea. How are you going to translate 
> the IP address
> into a domain name? Do a reverse query? That's unreliable, 
> since many folks
> don't bother with reverse DNS records. Also, it's easily 
> spoofed unless you
> also do a forward query to confirm the results of the reverse 
> query. So now
> you're talking about originating 2 queries for every one 
> query that comes in.
> The client could easily time out while you're trying to verify their
> "credentials" in this way. Not only that, but what if 2 
> nameservers tried to
> "authenticate" each other in this way? They could end up causing an
> authentication loop and melting each other down.
> 
> Just use IP addresses or address ranges. AFAIK, that's the only thing
> BIND supports in an ACL besides TSIG keys anyway.
> 
> 
> - Kevin
> 
> Yanek Korff wrote:
> 
> > No, I mean exactly what I said.  Can an ACL control specify 
> a domain?  I am
> > aware that I can have different ACLs for different zones.  
> I am hesitant to
> > just "try it" as I don't have a test DNS server handy.
> >
> > -Yanek.
> >
> > -----Original Message-----
> > From: Drew J. Weaver [mailto:drew.weaver at thenap.com]
> > Sent: Monday, October 29, 2001 4:26 PM
> > To: 'Yanek Korff'; 'bind-users at isc.org'
> > Subject: RE: acl controls
> >
> > If you mean, can you specify who can pull which specific 
> domains then yes.
> >
> > -Drew
> >
> > -----Original Message-----
> > From: Yanek Korff [ mailto:yanek at cigital.com 
<mailto:yanek at cigital.com> ]
> Sent: Monday, October 29, 2001 4:05 PM
> To: 'bind-users at isc.org'
> Subject: acl controls
>
> I'm familiar with using acl's to specify servers which can slave by using
IP
>
> addresses and IP prefix (slash notation).  Is is possible to specify acl
> controls by domain?  As in...
> acl goodPeople {
>   .goodpeople.net;
> }
>
> ?
>
> My ISP claims it is.  I have my doubts.
>
> -Yanek.

More information about the bind-users mailing list