BIND 10 #1104: support TSIG in DNS (Request) ACL
BIND 10 Development
do-not-reply at isc.org
Thu Jul 21 20:32:01 UTC 2011
#1104: support TSIG in DNS (Request) ACL
-------------------------------------+-------------------------------------
Reporter: | Owner: jinmei
jinmei | Status: reviewing
Type: task | Milestone:
Priority: major | Sprint-20110802
Component: | Resolution:
xfrout | Sensitive: 0
Keywords: | Sub-Project: DNS
Defect Severity: N/A | Estimated Difficulty: 0.0
Feature Depending on Ticket: | Total Hours: 0
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Changes (by stephen):
* owner: stephen => jinmei
Comment:
'''src/bin/xfrout/tests/xfrout_test.py.in'''
In the part of test_parse_query_message that does the TSIG ACL checks,
TSIG_KEY is added to the "self.xfrsess" key ring multiple times - is this
needed?
'''src/lib/acl/tests/dnsname_check_unittest.cc'''
In the "match" test, the superdomain against which the check should be
made should be "com", not "org".
'''src/lib/python/isc/acl/_dns.py'''
Is this really a good name for this file? _dns.py" is very close to
"dns.py".
A comment in this file refers to "log.so", which appears not to be
relevant here.
'''!ChangeLog'''
Looks OK
'''Miscellaneous'''
The TSIG ACL check is only on the basis of record name, which prompts the
question "can we guarantee that the TSIG data is always checked?". In
other words, could it be possible for a user to construct an ACL for some
operation that includes a check on the TSIG key, but for the code for that
operation not to check it? In which case security could be subverted by
sending through a key of a given name but with arbitrary data.
--
Ticket URL: <http://bind10.isc.org/ticket/1104#comment:6>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list