BIND 10 #1104: support TSIG in DNS (Request) ACL

BIND 10 Development do-not-reply at isc.org
Wed Jul 20 00:28:28 UTC 2011 

#1104: support TSIG in DNS (Request) ACL
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:  jinmei
  jinmei                             |                Status:  accepted
                       Type:  task   |             Milestone:
                   Priority:  major  |  Sprint-20110802
                  Component:         |            Resolution:
  xfrout                             |             Sensitive:  0
                   Keywords:         |           Sub-Project:  DNS
            Defect Severity:  N/A    |  Estimated Difficulty:  0.0
Feature Depending on Ticket:         |           Total Hours:  0
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------

Comment (by jinmei):

 trac1104 is ready for review.

 After thinking about how to handle TSIG keys in the ACL, I've chosen
 a quite straightforward way in the end: simply passing TSIGRecord
 to RequestContext and having the context retrieve the key name
 from it.  Comparison is based on Name::operator==().  I chose this
 approach so that the caller can construct the context in the most
 intuitive way like this:
 {{{
         getQueryACL().execute(acl::dns::RequestContext(
                                   client.getRequestSourceIPAddress(),
                                   query_message->getTSIGRecord())));
 }}}

 The dependency on libdns++ (and pydnspp in the Python case) might be
 a disadvantage, but if an application needs DNS related ACLs it's
 quite likely that the application also needs libdns++/pydnspp anyway.
 Comparing two names as Name object is relatively expensive, but
 at least for now we don't expect to use this ACL in a very performance
 sensitive path (such as for ordinary queries to auth), so it should
 be okay.  We could consider optimizing it if and when we see the real
 need for it.

 If this design is okay, the implementation should be quite
 straightforward.  Probably the most tricky part is the Python wrapper.
 Since it's mostly impossible to refer to symbols in the C++ Python
 binding for libdns++ from dns.so (or in general between different .so
 modules), I introduced a frontend .py to preprocess TSIGRecord passed
 to RequestContext so that the C++ implementation for the context class
 doesn't have to use symbols in pydnspp bindings directly.

 Another note: right now b10-resolver cannot use TSIG based ACL in
 practice because there's no way to configure TSIG keys for it right
 now.  I could add that part in this ticket, but it's not an urgent
 goal for us, so I'd rather defer it to a separate task.

 Proposed changelog:
 {{{
 274.?   [func]          jinmei
         Added support for TSIG key matching in ACLs.  The xfrout ACL can
         now refer to TSIG key names using the "key" attribute.  For
         example, the following specifies an ACL that allows zone transfer
         if and only if the request is signed with a TSIG of a key name
         "key.example":
         > config set Xfrout/query_acl[0] {"action": "ACCEPT", \
                                           "key": "key.example"}
         (Trac #1104, git TBD)
 }}}

-- 
Ticket URL: <http://bind10.isc.org/ticket/1104#comment:3>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list