BIND 10 #1104: support TSIG in DNS (Request) ACL
BIND 10 Development
do-not-reply at isc.org
Sun Jul 24 18:41:04 UTC 2011
#1104: support TSIG in DNS (Request) ACL
-------------------------------------+-------------------------------------
Reporter: | Owner: jinmei
jinmei | Status: reviewing
Type: task | Milestone:
Priority: major | Sprint-20110802
Component: | Resolution:
xfrout | Sensitive: 0
Keywords: | Sub-Project: DNS
Defect Severity: N/A | Estimated Difficulty: 0.0
Feature Depending on Ticket: | Total Hours: 0
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Changes (by stephen):
* owner: stephen => jinmei
Comment:
> ...one possible solution is to enhance the TSIGRecord class so that it
can store a state indicating the record has been verified, and have
TSIGContext::verify() change the state to "verified" on success (to make
it possible we need to stop constifying the 'record' parameter,
though).
As part of a solution to avoid avoid multiple verifications of the same
record, that would work. To avoid the overhead involved with
"unconstifying" TSIGContext, we could make the internal "verified" flag
mutable.
> Then we can change !RequestContext so that it will ignore the given TSIG
record unless its state is "verified".
I'm not sure what you meant here. If an ACL requires a check on a TSIG
record, that check needs to be carried out; you can't ignore the record
just because it has not been verified.
Using your idea, I was more envisaging TSIGContext::verify() being called
during the ACL checking procedure (and in other places), performing the
verification if called for the first time and returning the stored
verification state on subsequent calls.
--
Ticket URL: <http://bind10.isc.org/ticket/1104#comment:12>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list