Information leakage via update prereqs (was: Consistent error message in named.log )

Chris Thompson cet1 at hermes.cam.ac.uk
Mon Jul 2 14:52:22 UTC 2007


On Jun 29 2007, Mark Andrews wrote:
[...]
>	This is a FAQ.
>
>Q: I keep getting log messages like the following. Why?
>
>   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
>   failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
>   
>A: DNS updates allow the update request to test to see if certain conditions are
>   met prior to proceeding with the update. The message above is saying that
>   conditions were not met and the update is not proceeding. See doc/rfc/
>   rfc2136.txt for more details on prerequisites.
>
>Also prerequisites are processed before any acls according to RFC 2136 which
>is why you see these even when updates are denied for everyone.

That is, section 3.3 comes after section 3.2. But the RFC seems not to provide
justifcation as to why the authorisation check must not be done earlier.

The result is that update attempts can be used to find out some details of
zones to which the requestor does not have query access. (I experimented
with a zone with "allow-query{none;};".) By seeing whether the return code
is {Y,N}X{DOMAIN,RRSET} rather than REFUSED, a client can see whether a
domain name exists, if so whether it has RRs of a particular type, if so
whether they (collectively) do or do not match some guessed values.

This doesn't seem a very serious security issue, but it gives me an uneasy
feeling.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk



More information about the bind-users mailing list