how to list ALL zones of my master server
Kevin Darcy
kcd at daimlerchrysler.com
Mon Sep 30 20:36:35 UTC 2002
Jim Reid wrote:
> >>>>> "Fred" == Fred Viles <fv+abuse at nospam.epitools.com> writes:
>
> First of all, please remove the nospam crap from your email
> address. It doesn't stop spammers. [They have tools to delete this
> nospam nonsense.] All you do is present an email address that can't be
> replied to. This is very anti-social on a MAILING LIST.
>
> Fred> Actually it does (or can). I'm thinking of the NOTIFY
> Fred> message. In theory, a slave could treat a NOTIFY for an
> Fred> unknown domain coming from a trusted master as a signal to
> Fred> automatically add a new slave zone.
>
> Ignoring the trust issue -- which is a hard problem to solve in itself
> -- how do you propose the NOTIFY message would encode other information
> such as who's allowed to send dynamic updates or do zone transfers or
> where the slave server stores the zone file or....?
Jim, I haven't seen anyone suggest that all of this
implementation-specific configuration data be crammed into the
NOTIFY packet. The NOTIFY is just a *trigger* to create a new slave zone
definition; all of the details of configuring the zone would come from
other sources -- defaults, templates, local conventions, etc. I really
don't understand why people are so hostile to using NOTIFY as a
zone-creation trigger. Is this any *worse* than the other ersatz methods
that folks are using to automate slave zone-creation, e.g. a special
"private" zone containing nothing but a list of zones to be slaved?
NOTIFY-triggered slave-zone-creation may not be a perfect, comprehensive
solution, but it's a step forward IMO, and doesn't deserve the pushback
that it always seems to receive when it's mentioned here.
> And as for the DoS possibilities...
I see this as just another facet of the trust issue, which you said you
were ignoring.
If the NOTIFY is unsigned or the signature doesn't verify, ignore the
NOTIFY. How is this a serious DoS possibility? Technically, the
NOTIFY standard would have to be amended in order to allow NOTIFYs to be
TSIG-signed, but this isn't an insurmountable obstacle...
-Kevin
More information about the bind-users
mailing list