Client address to "external" via UNIX-domain socket
Jan-Piet Mens
jpmens.dns at gmail.com
Mon Mar 21 08:55:54 UTC 2011
Evan,
> Can you go into more detail about why you need this?
Thinking aloud, ideally, BIND would offer the following capabilities,
when made available to a large number of clients who may update
their zones.
1. Limit the number of total RR in a zone on a per-zone basis. When a
configured limit is reached, a ddns update is refused. The
reasoning behind this is to prevent a client DoS'ing a BIND server.
Something along the lines of
zone-policy {
max-records local-ddns none;
max-records "client1.key.name" 200;
max-records "client2.client.name" 400;
};
I have not fully thought about what consequences that would have,
e.g. what happens when client1 reaches a limit: may it then delete
records?
2. Better logging of ddns updates; which client (IP and key name) did
what, when, etc. (We talked recently about the small patch I
submitted.)
With machtype external I was hoping to be able to hook up this kind of
functionality, but I now realize I'm on the wrong track.
> > Alternatively, is there a way to prevent updates over UDP?
>
> Well, if you're using matchtype external and the policy daemon
> rejects anything that doesn't send an address, that would prevent
> updates over UDP, I guess...
(grins) Yes, hadn't thought of that one. :)
Regards,
-JP
More information about the bind-workers
mailing list