[bind10-dev] when should we apply ACL in incoming request processing?
Michal 'vorner' Vaner
michal.vaner at nic.cz
Fri Jun 24 20:20:56 UTC 2011
Hello
On Fri, Jun 24, 2011 at 11:32:50AM -0700, JINMEI Tatuya / 神明達哉 wrote:
> This is compatible with BIND 9's behavior, but I guess administrators
> would rather reject an unwanted packet before doing any deeper
> inspection. BIND 9 actually has a separate "blackhole" ACL, which is
> applied before doing any protocol level processing, but the current
> implementation of b10-resolver doesn't have an equivalent to that.
I thought about it a little as well. If we want to check TSIG keys (or, their
names), I believe we even need to perform TSIG validation before doing ACL. And
I think we want to allow checking the DNS message itself.
Anyway, if administrators really want to reject/drop the packets even before
that, we could provide another ACL point, which would be limited in what it can
check (since some information is not yet available) but could drop it before.
But I'm not sure if we don't duplicate the firewall, which can easily do these
kinds of raw drops before it even reaches our code, and probably easier.
With regards
--
There is one difference between linux and windows.
With windows, you pay for the software, but you get all the T-shirts for free.
With linux, you get all the software for free, but you buy the T-shirts.
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20110624/f8ab81a1/attachment.bin>
More information about the bind10-dev
mailing list