bind NOTIFY protocol

Jim Reid jim at rfc1035.com
Thu Dec 21 23:06:19 UTC 2000 

>>>>> "Barry" == Barry Margolin <barmar at genuity.net> writes:

    >> <jim at rfc1035.com> wrote:
    >> NOTIFY messages are sent to the addresses of zone's NS
    >> records. A name server can be configured to send them to other
    >> addresses too: see the also-notify clause in BIND[89]. Keeping
    >> track of previous zone xfers is not wise: how can the server
    >> tell the difference between a slave server's axfr request and
    >> some random user just making an axfr with dig or nslookup?
    >> Think of the fun - denial of service attacks - if the server
    >> had to keep track of the source address of every axfr request
    >> it got. RFC1996 will tell you more than you probably want to
    >> know about the NOTIFY protocol.

    Barry> BIND already keeps track of the addresses of every client
    Barry> or server that it interacts with if you enable
    Barry> host-statistics (we've enabled this on all our servers and
    Barry> haven't found it to be a big problem).

True, but that wasn't what I was thinking about. The extra RAM to hold
the addresses of the axfr clients is neither here nor there. As you
say, you get this anyway when host-statistics are enabled. I was
thinking of the possibility of corner-case internal problems if the
server had to manage a queue of maybe thousands of NOTIFY messages to
process for a single zone. And what a queue of that size might do to
the server's zone maintenance and sysquery functions. [eg What if
there's not enough time to get all the NOTIFYs out before the zone is
next reloaded.] Or how about keeping track of the NOTIFYs that don't
get answered and should be retransmitted.

Note: I'm definitely not saying there are problems there. I don't know
as I've not tested it or studied the code in detail. I'm just saying
there might be. In extreme cases. Like a DDOS attack.

    Barry> Throwing in the addresses of AXFR clients is not likely to
    Barry> kill it.  And unless he made use of a DDOS attack
    Barry> mechanism, a random user couldn't make axfr requests from
    Barry> lots of different hosts.

Indeed, but I understand that DDOS attacks are the current vogue for
the bad guys and script kiddies.

More information about the bind-users mailing list