acl controls
Yanek Korff
yanek at cigital.com
Mon Oct 29 22:06:48 UTC 2001
As I thought. I will notify the DNS admins at the ISP about the crack they
must recently have taken.
-Yanek.
> -----Original Message-----
> From: Kevin Darcy [mailto:kcd at daimlerchrysler.com]
> Sent: Monday, October 29, 2001 4:44 PM
> To: 'bind-users at isc.org'
> Subject: Re: acl controls
>
>
>
> No, this is a really bad idea. How are you going to translate
> the IP address
> into a domain name? Do a reverse query? That's unreliable,
> since many folks
> don't bother with reverse DNS records. Also, it's easily
> spoofed unless you
> also do a forward query to confirm the results of the reverse
> query. So now
> you're talking about originating 2 queries for every one
> query that comes in.
> The client could easily time out while you're trying to verify their
> "credentials" in this way. Not only that, but what if 2
> nameservers tried to
> "authenticate" each other in this way? They could end up causing an
> authentication loop and melting each other down.
>
> Just use IP addresses or address ranges. AFAIK, that's the only thing
> BIND supports in an ACL besides TSIG keys anyway.
>
>
> - Kevin
>
> Yanek Korff wrote:
>
> > No, I mean exactly what I said. Can an ACL control specify
> a domain? I am
> > aware that I can have different ACLs for different zones.
> I am hesitant to
> > just "try it" as I don't have a test DNS server handy.
> >
> > -Yanek.
> >
> > -----Original Message-----
> > From: Drew J. Weaver [mailto:drew.weaver at thenap.com]
> > Sent: Monday, October 29, 2001 4:26 PM
> > To: 'Yanek Korff'; 'bind-users at isc.org'
> > Subject: RE: acl controls
> >
> > If you mean, can you specify who can pull which specific
> domains then yes.
> >
> > -Drew
> >
> > -----Original Message-----
> > From: Yanek Korff [ mailto:yanek at cigital.com
<mailto:yanek at cigital.com> ]
> Sent: Monday, October 29, 2001 4:05 PM
> To: 'bind-users at isc.org'
> Subject: acl controls
>
> I'm familiar with using acl's to specify servers which can slave by using
IP
>
> addresses and IP prefix (slash notation). Is is possible to specify acl
> controls by domain? As in...
> acl goodPeople {
> .goodpeople.net;
> }
>
> ?
>
> My ISP claims it is. I have my doubts.
>
> -Yanek.
More information about the bind-users
mailing list