BIND 10 #999: Integrate ACLs into b10-resolver
BIND 10 Development
do-not-reply at isc.org
Fri Jun 24 08:39:49 UTC 2011
#999: Integrate ACLs into b10-resolver
-------------------------------------+-------------------------------------
Reporter: | Owner: jinmei
vorner | Status: accepted
Type: task | Milestone:
Priority: major | Sprint-20110628
Component: | Resolution:
Unclassified | Sensitive: 0
Keywords: | Sub-Project: DNS
Defect Severity: N/A | Estimated Difficulty: 4.0
Feature Depending on Ticket: | Total Hours: 0
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by jinmei):
Branch trac999 is ready for review.
It depends on a snapshot version of trac998, but I believe the
interface is now fixed and this branch can be safely reviewed.
I've played with the generic loader framework (introduced in #769
and now merged in the master) for a while, but decided to keep
the current approach (using a minimalist separate loader within
the resolver code) as this branch itself is already quite big, and
adapting the current code to the generic loader would make it even
larger. If it's okay, I'll create a separate follow-up ticket for
the unification work.
As a consequence, I've kept the Client class for the resolver ACL
context in the server_common module. In the follow-up work, I'd move
the ACL specific part under acl and merge it with the RequestContext
class. Until then I'd propose holding off the discussion on where the
Client class should go (or whether we need it).
The first commit in this branch is a merge to incorporate trac998 and
should be ignored. The rest of the diff can be retrieved by
git diff 217c097.
Also note that some part of change in io_endpoint_unittest.cc is
irrelevant to the subject of this branch (commit 217c097), but I
noticed the bug while I worked on this branch and since it's quite
trivial I fixed it within the branch. If it's noisy, I'm okay with
reverting it and moving it to a separate ticket.
Finally, to enable the default ACL, I added generic code that had
b10-resolver load all initial configuration (as b10-auth does). It's
commit 181283a. As noted in the commit log, this eliminated the
hardcoded listen_on default. This would be a nice side effect, but
since the effect is larger than the minimal scope of this ticket,
please carefully review this change.
This is proposed changelog entry:
{{{
261.? [func]* jinmei
b10-resolver: Introduced ACL on incoming queries. By default the
resolver accepts queries from ::1 and 127.0.0.1 and rejects all
others. The ACL can be configured with bindctl via the
"Resolver/query_acl" parameter. For example, to accept queries
from 192.0.2.0/24 (in addition to the default list), do this:
> config add Resolver/query_acl
> config set Resolver/query_acl[2]/action "ACCEPT"
> config set Resolver/query_acl[2]/from "192.0.2.0/24"
> config commit
(Trac #999, git TBD,
also based on other ACL related work done by stephen and vorner)
}}}
--
Ticket URL: <http://bind10.isc.org/ticket/999#comment:9>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list