acl's and some suggestions for ISC
Kevin Darcy
kcd at daimlerchrysler.com
Fri Jan 23 02:40:50 UTC 2004
/dev/rob0 wrote:
>I'm setting up BIND at a customer site, freeing them (me) from the
>dreaded djbdns. Ahhh, nice. I set up a master (on an internal server)
>and a slave (on the gateway/router.) I thought I'd try using some acl
>statements to ease the transition.
>
>The new master BIND server is still running djbdns: tinydns on localhost
>and dnscache on its Ethernet interface. So I made an eth0:dns alias on
>another IP and used that as the "listen-on" address.
>
>I was hoping to use an acl on the slave server, rather than put the IP
>in the masters option for each of several zone statements. That way I'd
>only have one place to edit when I change over with BIND on the main IP.
>It seems that "masters" can't use an acl. (Yes, the acl statement came
>before the zone statement.)
>
>Why not? The BIND 9 Configuration Reference implied that acl's could be
>used anywhere one might need a list of IP's or netblocks. There really
>wasn't much said about "masters" syntax, but I see on closer examination
>now that some options say "address_match_list", but masters does not.
>Why can't "masters" use an address_match_list?
>
I don't speak for ISC, but I suspect one reason might be to prevent
admins from accidentally making their slaves less secure than they
realize. What's in the "masters" clause is not just for the internal use
of that box, but actually establishes a form of trust between the slave
and its master(s), a trust relationship which could potentially be
exploited or abused. For instance, what if someone included an address
match list of 192.168.1.0/24 -- either directly or via a named acl -- in
a "masters" clause? That might seem a nifty thing to do if you have 2 or
more masters in that address range. But what if the address range is
later subdivided, with part of it becoming "untrusted"? Then something
in that untrusted range could potentially spoof a NOTIFY to the slave
and voila! inject a spoofed version of a DNS zone into it. (Sure,
address spoofing itself is also possible but significantly more
difficult if the proper controls are in place in the routers, switches,
firewalls, etc. And granted, anyone who is really *serious* about
security is going to TSIG-authenticate zone transfers anyway, so I'm
talking about the middle ground here between super-paranoid and
trivially spoofed).
You could say "okay, then just have a separate kind of 'acl' which
doesn't permit fancy combinations of address prefixes and/or negation",
i.e. this new "lite" acl would just be a symbolic name for a bunch of
enumerated addresses, keys and/or nested "lite" acls. Sure, but if
you're going to special-case things like that *solely* for the "masters"
clause, why not special-case the "masters" clause itself and just say
one can't use address_match_lists in it? Keep It Simple.
- Kevin
More information about the bind-users
mailing list