BIND 10 #1104: support TSIG in DNS (Request) ACL
BIND 10 Development
do-not-reply at isc.org
Tue Jul 12 07:17:26 UTC 2011
#1104: support TSIG in DNS (Request) ACL
-------------------------------------+-------------------------------------
Reporter: jinmei | Owner:
Type: task | Status: new
Priority: major | Milestone: Next-
Component: xfrout | Sprint-Proposed
Sensitive: 0 | Keywords:
Sub-Project: DNS | Defect Severity: N/A
Estimated Difficulty: 0 | Feature Depending on Ticket:
Total Hours: 0 | Add Hours to Ticket: 0
| Internal?: 0
-------------------------------------+-------------------------------------
This is necessary for the expected ACL support for xfrout.
The difficult point is that TSIG keys are identified as DNS names,
so naive comparison as string may result in the wrong (mis)match.
Using dns:Name object is one solution, but it adds dependency from
the ACL library to libdns++ (we may end up having it for a different
reason, but right now there's no such dependency, and in general
it would be better to have fewer dependency).
Also, whether we use (some canonical type of) string or bare Name
object, comparing these is generally expensive. (Although it may not
matter much if we only use TSIG based ACL for performance insensitive
operations).
What I'm thinking is to give unique integer IDs to each TSIG key
(a monotinically increasing global counter would propbably suffice),
have the application of the ACL extract it and pass it to the ACL
library, and within ACL TSIG keys are simply compared as integers.
But this is just a not fully baked idea. Whoever actually works this
may find a better way (or reasonable short term solution even if
it's, e.g., inefficient).
--
Ticket URL: <http://bind10.isc.org/ticket/1104>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list