BIND 10 #772: Update xfrout to use ACL checking library
BIND 10 Development
do-not-reply at isc.org
Fri Jul 15 19:23:47 UTC 2011
#772: Update xfrout to use ACL checking library
-------------------------------------+-------------------------------------
Reporter: | Owner: jinmei
stephen | Status: reviewing
Type: | Milestone:
enhancement | Sprint-20110802
Priority: major | Resolution:
Component: | Sensitive: 0
xfrout | Sub-Project: DNS
Keywords: | Estimated Difficulty: 3.0
Defect Severity: N/A | Total Hours: 0
Feature Depending on Ticket: |
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Changes (by vorner):
* owner: vorner => jinmei
Comment:
Hello
Replying to [comment:11 jinmei]:
> Personally, I'd accept by default because conceptually xfrout would be
> part of auth, and we'd accept queries by default in auth. But I may
> be biased because while I know there are some paranoid people who
> never want to answer xfr queries except those from the "authorized
> secondaries", I never agree with them (I see some valid cases such as
> a very big zone where xfr queries could be a DoS, but that's an
> exceptional case, not a reason to set the default).
>
> But now that you're leaving, I'm okay, e.g., with leaving this open
> and deferring it to a separate ticket.
OK, I changed it, it is small change.
> From a bit closer look at it, it's probably safe as ACL is always
> replaced as a whole and specific sessions have their own copy of the
> entire ACL.
Well, I don't know if python assignement is atomic and if inconsistent
config is OK. But it's not the main point here I guess.
> You can at least test the 'else' case (if I read it correctly that
> part isn't tested at all right now). But I'd leave it to you.
OK, done.
Thank you
--
Ticket URL: <http://bind10.isc.org/ticket/772#comment:13>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list