Limit actions on control channel?
bind at iment.com
Fri Jun 18 16:13:58 UTC 2021
It ought to be possible to write a front-end to listen on the standard control channel and only forward (properly-keyed) 'status' requests to the "real" port that BIND listens to.
From looking at the RNDC exchange via Wireshark however, you'd have to adapt some of BIND's code that does the encryption / key-signing of RNDC requests. Still, for us users, that might be safer -- and more update resistant -- than modifying BIND itself.
On Thu, 17 Jun 2021 11:48:36 -0800
John Thurston <john.thurston at alaska.gov> wrote:
> I see I can define (using the 'controls' statement) a 'read-only' inet
> channel. I suspect I could define a couple of channels on the same
> address if I put them on different ports. Is there a way to define a
> single 'read-write' channel, and then limit certain keys to read-only
> access on it?
> Here's the scenario:
> I'd like to have a single control channel listening (on port 953, for
> example). I'd like to say the key named "foo" can do lots of things, but
> the key named "bar" can only submit a "status" message. This would let
> our monitoring application ask for "status" without also letting it ask
> for "reload" or "flushname".
More information about the bind-users