[bind10-dev] ddns
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Fri Dec 2 08:00:37 UTC 2011
At Fri, 2 Dec 2011 08:52:18 +0100,
Michal 'vorner' Vaner <michal.vaner at nic.cz> wrote:
> > > That would solve most of the potential information leakage problems and
> > > much of the potential DOS problems. But it does require more configuration.
> >
> > Actually, if we provide the option of "not running DDNS at all", that
> > would effectively work as the "high-level check". Maybe that's
> > sufficient for the rationale I raised (quick defense against crash-DoS
> > type of attacks). And it wouldn't be considered a violation of the
> > RFC.
>
> No, they're not really the same. With „not running at all“, you have it either
> enabled or disabled. With the ACLs, you can say „I want these two to be able to
> do DDNS updates, but not the rest of the world“, but you still have it running.
> I believe these two are independent.
True, but my main point in the context still stands. My personal
rationale was preventing DoS in case the ddns code has a crash type
bug and using the "ACL" as a quick workaround to prevent crash (even
at the cost of disabling ddns while waiting for the real cure). For
that purpose, "disable all" is just sufficient.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind10-dev
mailing list