acl controls

[Kevin Darcy]

No, this is a really bad idea. How are you going to translate the IP address
into a domain name? Do a reverse query? That's unreliable, since many folks
don't bother with reverse DNS records. Also, it's easily spoofed unless you
also do a forward query to confirm the results of the reverse query. So now
you're talking about originating 2 queries for every one query that comes in.
The client could easily time out while you're trying to verify their
"credentials" in this way. Not only that, but what if 2 nameservers tried to
"authenticate" each other in this way? They could end up causing an
authentication loop and melting each other down.

Just use IP addresses or address ranges. AFAIK, that's the only thing
BIND supports in an ACL besides TSIG keys anyway.


- Kevin

Yanek Korff wrote:

> No, I mean exactly what I said.  Can an ACL control specify a domain?  I am
> aware that I can have different ACLs for different zones.  I am hesitant to
> just "try it" as I don't have a test DNS server handy.
>
> -Yanek.
>
> -----Original Message-----
> From: Drew J. Weaver [mailto:drew.weaver at thenap.com]
> Sent: Monday, October 29, 2001 4:26 PM
> To: 'Yanek Korff'; 'bind-users at isc.org'
> Subject: RE: acl controls
>
> If you mean, can you specify who can pull which specific domains then yes.
>
> -Drew
>
> -----Original Message-----
> From: Yanek Korff [ mailto:yanek at cigital.com <mailto:yanek at cigital.com> ]
> Sent: Monday, October 29, 2001 4:05 PM
> To: 'bind-users at isc.org'
> Subject: acl controls
>
> I'm familiar with using acl's to specify servers which can slave by using IP
>
> addresses and IP prefix (slash notation).  Is is possible to specify acl
> controls by domain?  As in...
> acl goodPeople {
>   .goodpeople.net;
> }
>
> ?
>
> My ISP claims it is.  I have my doubts.
>
> -Yanek.