BIND 8.2.2 (notify): not ready for servers with multiple IP-adresses

Xuan Baldauf kW at exmail.de
Thu Nov 11 23:04:25 UTC 1999 


Markus Stumpf wrote:

> On Thu, Nov 11, 1999 at 03:25:15AM +0100, Xuan Baldauf wrote:
> > I think that this is a bug, because the slave does not know without
> > further help by
> > the administrator which ip addresses the master for a domain has besides
> > the ones in
> > the NS entries.
>
> The bug is in your setup.
> Configure your secondaries with master entries pointing to the IP the
> the primary uses to send the notifies and it will work, regardless
> what the NS zone records show. This however assumes that the primary
> will also honor AXFR requests from the secondaries on that IP.

This is probably somewhat difficult, as the IP the primary server uses to send
notify messages is likely to change, as we are restructuring our internal network
nearly every week. This would be a workaround, but no solution.

> You could also do a small patch to the bind code to allow every IP
> to send notifies. Last time I checked it was a three liner or so.
> However such a patch will probably make you open to DoS attacks
> very easily.

You'd probably laugh, but at first I wrote that patch:

diff -U 3 -r ../bind8.2.2/src/bin/named/ns_req.c ./src/bin/named/ns_req.c
--- ../bind8.2.2/src/bin/named/ns_req.c Fri Oct 15 21:49:04 1999
+++ ./src/bin/named/ns_req.c Wed Nov 10 21:26:43 1999
@@ -515,10 +515,17 @@
    goto refuse;
   }
   if (findZonePri(zp, from) == -1) {
-   ns_info(ns_log_notify,
+
+/*   ns_info(ns_log_notify,
+
    "NOTIFY(SOA) from non-master server (zone %s), from %s",
     zp->z_origin, sin_ntoa(from));
    goto refuse;
+*/
+   ns_info(ns_log_notify,
+   "NOTIFY(SOA) from non-master server (zone %s), from %s: still accepting",
+    zp->z_origin, sin_ntoa(from));
+   // goto refuse;
   }
   break;
  default:

After that, I convinced myself that this is no good solution, (because of possible
DoS attacks..)

>
> I thought of adding a "allow-notify" option, but solved it with the
> above setup, as that was the quicker and IMHO cleaner solution.

I tracked the problem down, the "query-source address * port *;" option specifies
the interface used for own queries. The socket for the queries is reused for notify
messages. So I changed this option to the IP address most secondaries will expect.

Our current situation is that we were merging two primary name servers to one
(transferring zones and config, stealing the IP address from the former primary
server). The secondaries of the new zones will have to be reconfigured to fetch
zone data from the same IP address as the secondaries of the old zones, because of
the "query-source address xxx.xxx.xxx.xxx port *;" statement.

I think it's still a kind of design bug to make the functionality of secondary name
servers depend on the IP addresses a primary name server has.

>
>
>         \Maex
>
> --
> SpaceNet GmbH             |   http://www.Space.Net/   | Yeah, yo mama dresses
> Research & Development    | mailto:maex-sig at Space.Net | you funny and you need
> Joseph-Dollinger-Bogen 14 |  Tel: +49 (89) 32356-0    | a mouse to delete files
> D-80807 Muenchen          |  Fax: +49 (89) 32356-299  |

Cheers,
Xuân. :-)

--
Medium.net
Xuân Baldauf
Fliederweg 19
04827 Gerichshain bei Leipzig
Funk: 0(049)172/3528788
Fon: 0(049)34292/74809
Fax: 0(049)34292/75392
Site: http://www.medium.net/

More information about the bind-users mailing list