BIND 10 #1104: support TSIG in DNS (Request) ACL

BIND 10 Development do-not-reply at isc.org
Fri Jul 22 09:56:49 UTC 2011 

#1104: support TSIG in DNS (Request) ACL
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:  jinmei
  jinmei                             |                Status:  reviewing
                       Type:  task   |             Milestone:
                   Priority:  major  |  Sprint-20110802
                  Component:         |            Resolution:
  xfrout                             |             Sensitive:  0
                   Keywords:         |           Sub-Project:  DNS
            Defect Severity:  N/A    |  Estimated Difficulty:  0.0
Feature Depending on Ticket:         |           Total Hours:  0
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------
Changes (by stephen):

 * owner:  stephen => jinmei


Comment:

 Changes are OK. (Although I think you're being a bit hard on yourself
 about the "com" v "org" test - the name in question matches neither and I
 can't think of an easy way to check that you're not matching the the name
 you don't want to match against :-))

 > We cannot guarantee that. The assumption is that if an application uses
 a TSIG based ACL, it's application's responsibility to perform TSIG
 validation before performing the ACL check. Maybe we should document it as
 a note somewhere (but I'm not sure what's the best place for that. In
 changelog at the moment?)
 I think that's dangerous.  As the ACL is set up by the user (who may
 decide to include a TSIG check for a whole host of reasons) and the ACL
 checking code can be used by any application, the application may not know
 that the ACL contains a TSIG check.  For that reason, it seems logical
 that once the ACL code has checked that the name matches, it should also
 check that the TSIG key data is correct.

 As we are both at the IETF next week, rather than leave this ticket in
 limbo I suggest that you merge the code to master and we continue this
 discussion on the bind10-dev list.  Another ticket can be created if the
 conclusion is to add the TSIG key data check to the code.

-- 
Ticket URL: <http://bind10.isc.org/ticket/1104#comment:9>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list