[bind10-dev] ddns

[Shane Kerr]

Jinmei,

On Mon, 2011-11-28 at 15:29 -0800, JINMEI Tatuya / 神明達哉 wrote:
> > 
> > I think this caused an information leakage bug in BIND 9, which revealed
> > presence or not of zones, regardless of the status of the ACL. I think
> > the answer to this was to remember that a zone does not exist, and then
> > fail later after the ACL checks have completed - with the appropriate
> > ACL errors if necessary.
> 
> Is that a known problem or your opinion?  I don't think it causes any
> essential leakage of information that cannot be retrieved otherwise.
> For example, if you want to know whether a particular server has
> authority for a particular zone, you can simply send an SOA query for
> that zone name to that server.  I believe other information that could
> be "leaked" via prerequisite failures can also be retrieved via simple
> normal queries.

Hm... this is based on a vague memory of mine. I went back through the
BIND 9 changelog and didn't seen anything related to this, so perhaps I
am crazy. :( IIRC Michael knows this particular issue in detail.

I do think that this can cause leakage, if ACL checking occurs in the
wrong place. Imagine a split-brain server that has a zone that is
available for internal queries only; in principle SOA queries will not
reveal the existence of the zone, but a DDNS update might. Not a huge
problem, and again, based on a vague recollection not a careful reading
of the code or specs.

> But I agree that the RFC doesn't make sense in terms of where to
> perform access control for other reasons as I explained in my other
> message in this thread (and my understanding is that this is today's
> consensus of dnsext), and I think it would be worth discussion what to
> do for the BIND 10 implementation.

Yup! :)

--
Shane