[bind10-dev] ddns
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Mon Nov 28 23:29:31 UTC 2011
At Mon, 28 Nov 2011 14:02:01 +0100,
Shane Kerr <shane at isc.org> wrote:
> > - Naturally it should only work on zones for which we are master, and
> > the datasource should be writable
> > - Also naturally, we will need ACL checks done here
>
> IIRC, the RFC describes exactly where ACL checks should be done in the
> processing. I believe that the RFC is bogus, because it requires extra
> checking beyond what should normally be done.
>
> I think this caused an information leakage bug in BIND 9, which revealed
> presence or not of zones, regardless of the status of the ACL. I think
> the answer to this was to remember that a zone does not exist, and then
> fail later after the ACL checks have completed - with the appropriate
> ACL errors if necessary.
Is that a known problem or your opinion? I don't think it causes any
essential leakage of information that cannot be retrieved otherwise.
For example, if you want to know whether a particular server has
authority for a particular zone, you can simply send an SOA query for
that zone name to that server. I believe other information that could
be "leaked" via prerequisite failures can also be retrieved via simple
normal queries.
But I agree that the RFC doesn't make sense in terms of where to
perform access control for other reasons as I explained in my other
message in this thread (and my understanding is that this is today's
consensus of dnsext), and I think it would be worth discussion what to
do for the BIND 10 implementation.
---
JINMEI, Tatuya
More information about the bind10-dev
mailing list