No subject
Tue Apr 2 00:56:56 UTC 2013
zones are the address spaces I want to protect. If worst comes to
worst, I would even happily list out a collection of CIDR
address/netmask pairs that comprise the address space I want to
protect.
> DNS just is a protocol not a policy. This is not an DNS security
> flaw IMHO - it just is a feature.
A DNS server implementation implements both protocol and policy.
That's why BIND has configuration options such as allow-query,
allow-recursion, allow-transfer, etc. That's policy stuff, but it
goes in the server. Ideally, RFCs should recommend that this be done.
In different terms -- traditional DNS security issues involve
questions of whether a DNS request has been answered by an acceptable
server or asked by an acceptable client or peer. The question now is,
even if a DNS request has been answered by an acceptable server, is
the answer itself acceptable? This is an obvious and logical
extension of existing security/policy issues that DNS servers such as
BIND address.
- Morty
More information about the bind-users
mailing list