[bind10-dev] ddns
Jelte Jansen
jelte at isc.org
Wed Nov 30 17:40:11 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/30/2011 11:35 AM, Shane Kerr wrote:
>
>> But I agree that the RFC doesn't make sense in terms of where to
>> perform access control for other reasons as I explained in my other
>> message in this thread (and my understanding is that this is today's
>> consensus of dnsext), and I think it would be worth discussion what to
>> do for the BIND 10 implementation.
>
> Yup! :)
>
Will there be many people offended if we actually had two different
places where we do acl checks for updates?
- - A very high-level check ('allow updates in the first place') done by
auth (or receptionist, or whoever receives the query, note that if we
have a receptionist, we probably want to have a general ACL framework
for everything it can pass anyway).
- - Lowlevel checks ('allow update for X') done by the ddns code itself.
That would solve most of the potential information leakage problems and
much of the potential DOS problems. But it does require more configuration.
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7WansACgkQ4nZCKsdOncU+1gCfdBN+xzjXmrCD4hZJTrwkUeU6
XdkAmgJN1SopcqnA60hjT/rZR65FwP0z
=9nar
-----END PGP SIGNATURE-----
More information about the bind10-dev
mailing list