Client address to "external" via UNIX-domain socket
Paul Vixie
vixie at isc.org
Sat Mar 19 18:48:09 UTC 2011
> Date: Sat, 19 Mar 2011 15:37:30 +0100
> From: Jan-Piet Mens <jpmens.dns at gmail.com>
> ...
> Is there a reason not to change that code to pass the client's address
> irrespective of whether UDP or TCP is used? ...
since ip/udp source addresses are far less repudiable than ip/tcp source
addresses i think the idea is to not send them to an external authenticator
since they should never be relied upon.
> Alternatively, is there a way to prevent updates over UDP?
effectively but indirectly, yes, if ip/udp source addresses won't authenticate,
udp initiators will never work, and so initiators will adapt to using tcp.
a more direct syntax is desireable, since there is no way in the config file
to say in "allow-update" that a given source address has permission so long
as the transport is tcp.
More information about the bind-workers
mailing list