[bind10-dev] ddns
Michal 'vorner' Vaner
michal.vaner at nic.cz
Fri Dec 2 07:52:18 UTC 2011
Hello
On Thu, Dec 01, 2011 at 11:15:00PM -0800, JINMEI Tatuya / 神明達哉 wrote:
> > That would solve most of the potential information leakage problems and
> > much of the potential DOS problems. But it does require more configuration.
>
> Actually, if we provide the option of "not running DDNS at all", that
> would effectively work as the "high-level check". Maybe that's
> sufficient for the rationale I raised (quick defense against crash-DoS
> type of attacks). And it wouldn't be considered a violation of the
> RFC.
No, they're not really the same. With „not running at all“, you have it either
enabled or disabled. With the ACLs, you can say „I want these two to be able to
do DDNS updates, but not the rest of the world“, but you still have it running.
I believe these two are independent.
With regards
--
Security warning: Do not expose this email to direct sunlight.
It may lead to undefined behaviour, including possible data or life loses.
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20111202/19a54c55/attachment.bin>
More information about the bind10-dev
mailing list