Client address to "external" via UNIX-domain socket
Jan-Piet Mens
jpmens.dns at gmail.com
Sat Mar 19 14:37:30 UTC 2011
> On a related note, I would have expected/wanted the IP address of the
> updater to be passed down through the Unix socket, but that doesn't
> happen. Am I misunderstanding the "protocol"?
I was; a cup of coffee helped tremendously.
The address of the TCP! client is correctly passed to the external
daemon if the updating client connects over TCP (not UDP).
(named/update.c, line 3829.) I now see
version=1 signer=jp.example.nil name=fred.example.nil
addr=127.0.0.1 type=CNAME key= key_data_len=0
I'm trying to understand the reasoning for not giving the authenticator
the client's address (UDP or TCP) because we believe the authenticator
could use that information (although potentially spoofable) to decide on
whether or not to grant the upate request.
* If this is a TCP connection then pass the
* address of the client through for tcp-self
* and 6to4-self otherwise pass NULL. This
* provides weak address based authentication.
Is there a reason not to change that code to pass the client's address
irrespective of whether UDP or TCP is used? Alternatively, is there a
way to prevent updates over UDP?
Thanks & regards,
-JP
More information about the bind-workers
mailing list