[bind10-dev] ddns
Peter Koch
pk at DENIC.DE
Tue Nov 29 06:56:38 UTC 2011
Jinmei,
> For example, if you want to know whether a particular server has
> authority for a particular zone, you can simply send an SOA query for
> that zone name to that server. I believe other information that could
> be "leaked" via prerequisite failures can also be retrieved via simple
> normal queries.
if ACLs are checked only after the processing (as opposed to where normal
queries are door bounced), the leak may well happen.
> But I agree that the RFC doesn't make sense in terms of where to
> perform access control for other reasons as I explained in my other
> message in this thread (and my understanding is that this is today's
> consensus of dnsext), and I think it would be worth discussion what to
> do for the BIND 10 implementation.
I'd like to see both the option to have a server with no DynUpd code
at all as well as early shields where DynUpd is needed. It might
be worth exploring the history of the ACL rules a bit; probably there
were considerations re: DoS for "expensive" ACLs or authorization in
general.
-Peter (member of the peanut gallery)
More information about the bind10-dev
mailing list