[bind10-dev] ddns
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Fri Dec 2 07:37:10 UTC 2011
At Wed, 30 Nov 2011 11:35:10 +0100,
Shane Kerr <shane at isc.org> wrote:
> > Is that a known problem or your opinion? I don't think it causes any
> > essential leakage of information that cannot be retrieved otherwise.
> > For example, if you want to know whether a particular server has
> > authority for a particular zone, you can simply send an SOA query for
> > that zone name to that server. I believe other information that could
> > be "leaked" via prerequisite failures can also be retrieved via simple
> > normal queries.
>
> Hm... this is based on a vague memory of mine. I went back through the
> BIND 9 changelog and didn't seen anything related to this, so perhaps I
> am crazy. :( IIRC Michael knows this particular issue in detail.
It's probably this one:
2737. [func] UPDATE requests can leak existence information.
[RT #17261]
The related code is this:
static void
update_action(isc_task_t *task, isc_event_t *event) {
[...]
/*
* Update message processing can leak record existance information
* so check that we are allowed to query this zone. Additionally
* if we would refuse all updates for this zone we bail out here.
*/
CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
dns_zone_getupdateacl(zone), ssutable));
---
JINMEI, Tatuya
More information about the bind10-dev
mailing list