bind NOTIFY protocol
Jim Reid
jim at rfc1035.com
Thu Dec 21 23:06:19 UTC 2000
>>>>> "Barry" == Barry Margolin <barmar at genuity.net> writes:
>> <jim at rfc1035.com> wrote:
>> NOTIFY messages are sent to the addresses of zone's NS
>> records. A name server can be configured to send them to other
>> addresses too: see the also-notify clause in BIND[89]. Keeping
>> track of previous zone xfers is not wise: how can the server
>> tell the difference between a slave server's axfr request and
>> some random user just making an axfr with dig or nslookup?
>> Think of the fun - denial of service attacks - if the server
>> had to keep track of the source address of every axfr request
>> it got. RFC1996 will tell you more than you probably want to
>> know about the NOTIFY protocol.
Barry> BIND already keeps track of the addresses of every client
Barry> or server that it interacts with if you enable
Barry> host-statistics (we've enabled this on all our servers and
Barry> haven't found it to be a big problem).
True, but that wasn't what I was thinking about. The extra RAM to hold
the addresses of the axfr clients is neither here nor there. As you
say, you get this anyway when host-statistics are enabled. I was
thinking of the possibility of corner-case internal problems if the
server had to manage a queue of maybe thousands of NOTIFY messages to
process for a single zone. And what a queue of that size might do to
the server's zone maintenance and sysquery functions. [eg What if
there's not enough time to get all the NOTIFYs out before the zone is
next reloaded.] Or how about keeping track of the NOTIFYs that don't
get answered and should be retransmitted.
Note: I'm definitely not saying there are problems there. I don't know
as I've not tested it or studied the code in detail. I'm just saying
there might be. In extreme cases. Like a DDOS attack.
Barry> Throwing in the addresses of AXFR clients is not likely to
Barry> kill it. And unless he made use of a DDOS attack
Barry> mechanism, a random user couldn't make axfr requests from
Barry> lots of different hosts.
Indeed, but I understand that DDOS attacks are the current vogue for
the bad guys and script kiddies.
More information about the bind-users
mailing list