FQDNs in masters-list (was: Help: Secondary for...)

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Tue Mar 13 00:29:33 UTC 2001 

> 
> At 1:14 PM -0500 3/12/01, Kevin Darcy wrote:
> 
> >  Um, yeah, so what? This is the *BIND* list, not namedroppers. It's
> >  appropriate to discuss implementation details here. I'd like to see
> >  signed-NOTIFY-based slave auto-configuration someday added to BIND, and
> >  I'm eliciting comments on whether folks would find this a valuable
> >  feature or not. I assume your answer is "no" (?)
> 
> 	You can't propose protocol changes to solve a problem specific to 
> BIND.  Use BIND-specific mechanisms to solve problems specific to 
> BIND, and use protocol changes to solve problems in the protocol. 
> But never the twain should meet.

	This is NOT a protocol change.  All we are doing is using a
	different method to identify the master to the slave than was
	traditionally used.

	Traditionally the slave has used the IP address to identify
	the master.  With TSIG the number of mechanisms available to
	identify the master grew.  This just takes advantage of the
	new mechanism.  All this exists within the DNS protocol as
	it exists today.

	It has never been anything but a *implementation* requirement
	that slaves get given the IP address of the master.  In fact
	I had a experimental server years ago that didn't require a
	IP address for the master.  It wasn't secure as we didn't have
	the crypto support then but it could be made so now.

> 
> >  Well, I don't know about "unsigned content within a zone transfer". If
> >  the zone transfer itself is signed, is that not sufficient?
> 
> 	Not unless you can guarantee that signing the zone transfer 
> itself is sufficient to guarantee freedom from replay attacks.  There 
> may also be additional reasons, which I have not yet figured out. 
> For now, I'm leaning towards the probability that you'd have to sign 
> each and every record within the zone, as well as the SOA for the 
> zone.

	TSIG is enough to ensure that you are talking to the master
	when you are performing the zone transfer.

	Mark

> 
> --
> Brad Knowles, <brad.knowles at skynet.be>
> 
> #!/usr/bin/perl -w
> # 531-byte qrpff-fast, Keith Winstein and Marc Horowitz <sipb-iap-dvd at mit.edu
> >
> # MPEG 2 PS VOB file on stdin -> descrambled output on stdout
> # arguments: title key bytes in least to most-significant order
> # Usage:
> # qrpff 153 2 8 105 225 /mnt/dvd/VOB_FILE_NAME | extract_mpeg2 | mpeg2_dec -
> $_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c^
> =(
> $m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72, at z=(64,72,$a^=12*($_%1
> 6
> -2?0:$m&17)),$b^=$_%64?12:0, at z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h
> =5;$_=unxb24,join"", at b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
> d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
> $d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
> (($h>>=8)+=$f+(~$g&$t))for at a[128..$#a]}print+x"C*", at a}';s/x/pack+/g;eval
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list