"external" update policy (was: BIND 9.8.0rc1 is now available.)

Phil Mayers p.mayers at imperial.ac.uk
Tue Feb 15 16:55:24 UTC 2011


On 15/02/11 01:15, Mark Andrews wrote:

>       * There is a new update-policy match type "external". This allows
>         named to decide whether to allow a dynamic update by checking with
>         an external daemon. Contributed by Andrew Tridgell of the Samba
>         Project. [RT #22758]

This is a useful feature (which I've just tested). However it has some 
rather serious flaws for certain use-cases[1].

Specifically, the data supplied to the external helper loses much of the 
context from the original update request. Imagine you have a zone:

foo.domain.com  TXT "some data"
foo.domain.com    A 192.168.1.10

...and someone sends:

update delete nx.domain.com
update delete foo.domain.com
update add www.domain.com 300 A 192.168.1.1
update add www2.domain.com 300 AAAA 2001:db8::1

...the helper will receive 4 separate external lookups:

name=foo.domain.com rrtype=TXT
name=foo.domain.com rrtype=A
name=www.domain.com rrtype=A
name=www2.domain.com rrtype=AAAA

The problems I see are:

  * You see nothing for "nx.domain.com"
  * Each lookup is on a separate unix stream socket, so you don't know 
they're related.
  * There's no info about whether it's a delete or addition
  * Because of this, if you deny the last one, you can't know that the 
previous 3 didn't apply either

I understand why these happen and that it might be difficult to fix, but 
thought I'd mention it here.


[1] One of the use-cases we have in mind is logging dynamic updates by 
windows clients and using the external policy check to order our 
existing static "SQL->DNS" process to "skip" those; if a client sends an 
update with multiple add/deletes and we only deny one, we will 
erroneously mark the others to be skipped, because we lack transactional 
info (as well as whether it's a delete/add)


Also:

  1. It's normally obvious from the keyname or identity, but since it 
might be possible for those to conflict, the key algorithm would be 
useful as an explicit field.

  2. The documentation says "Requests to the external daemon are sent 
over the UNIX-domain socket as datagrams"; this is a bit confusing at 
and could be reworded. The unix socket is a SOCK_STREAM socket (not a 
datagram socket) receiving version/len/payload frames - this took a few 
minutes to figure out. Maybe:

"Request to the external daemon are sent over a UNIX stream socket. 
Request messages are formatted as follows..."



More information about the bind-users mailing list