[bind10-dev] ddns
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Fri Dec 2 07:15:00 UTC 2011
At Wed, 30 Nov 2011 18:40:11 +0100,
Jelte Jansen <jelte at isc.org> wrote:
> Will there be many people offended if we actually had two different
> places where we do acl checks for updates?
>
> - - A very high-level check ('allow updates in the first place') done by
> auth (or receptionist, or whoever receives the query, note that if we
> have a receptionist, we probably want to have a general ACL framework
> for everything it can pass anyway).
> - - Lowlevel checks ('allow update for X') done by the ddns code itself.
>
> That would solve most of the potential information leakage problems and
> much of the potential DOS problems. But it does require more configuration.
Actually, if we provide the option of "not running DDNS at all", that
would effectively work as the "high-level check". Maybe that's
sufficient for the rationale I raised (quick defense against crash-DoS
type of attacks). And it wouldn't be considered a violation of the
RFC.
The question then is where to perform the "low level checks": whether
it's after prerequisite checks as RFC states or whether it's at the
beginning of update protocol processing. Assuming we provide the
option of disabling ddns completely, I'm not sure which is better for
this question.
---
JINMEI, Tatuya
More information about the bind10-dev
mailing list