[bind10-dev] DDNS acl then prereqs or vice versa
Evan Hunt
each at isc.org
Tue Jun 5 19:11:52 UTC 2012
> Is it in the scope of the DDNS spec to say when to do ACLs at all? I
> mean, the base RFCs don't say where we should do ACLs on queries or
> transfers, do they?
I think it's implied in a few places, if not stated outright -- but in all
of them, the implication is that permission checks happen exactly when
you'd expect: first. The UPDATE RFC is the exception; RFC 2136, section
3, is explicit about order of processing and permissions checks come after
zone and prerequisite checks. It's always seemed like a mistake, but AFAIK
it hasn't ever been amended.
I would recommend discussing the matter with the author of RFC 2136,
who happens to be a co-worker of ours....
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind10-dev
mailing list