parental-agents clause - IP address only ?
Timothe Litt
litt at acm.org
Tue Dec 6 12:57:46 UTC 2022
On 06-Dec-22 01:58, Erich Eckner wrote:
>
> [snip]
> This made me curious: Is there some design rule forbidding bind to use
> the system resolver to resolve names it does not know about? I.e. why
> does it not query any resolvers in /etc/resolv.conf (probably via some
> system interface - sry, I have no idea, how "normal" programs resolve
> names) if it encounters an unknown name at a place where only an ip
> address is allowed so far?
>
> That being said: I'm not saying, it *should* do so, I'm merely
> curious, why it does not. :-)
>
> regards,
> Erich
>
>
See man 3 getnameinfo and gataddrinfo for the current way of resolving
DNS names via the standard library. gethostbyname and gethostbyaddr are
the older functions (overall less functional, harder to deal with IPv6 -
but can deal with multiple names for a host).
Resolving names in a resolver can be complicated. Especially when
recovering from an outage - if you are the first resolver back, who do
you ask? Additionally, resolving names is slow - not a big problem for
configuration data, unless you are operating a really large server.
(Which many named operators are...) But you don't want unnecessary
resolution on live code paths. Which creates the question: if a name is
in, say an ACL: does that mean "whatever the name resolved to when the
server started", or "whatever the name resolves to when the ACL is
used"? The latter might be expected, but performance would crater.
Then there are the security issues: if someone can fool you into using
their server for name resolution, they can get whatever configuration
items to do what they want. So, if allow-update is supposed to be your
management host, they might supply an IP address that allows them to
update your DNS. Of course, there's DNSSEC - but that requires more
infrastructure to be up when you boot that first server after a blackout.
None are insurmountable technical problems, but it's a lot of complexity
(hence room for bugs). The consensus is that it's not worth it for the
return. As noted earlier in the thread, most places where IP addresses
are used are fairly static. That lends itself to an external solution.
(As examples, I have a root hints file from the 80s - while a couple of
addresses have changed, it's still good enough today. The root DNSSEC
key has only changed once. Server IP addresses change on a timescale of
years - when hardware is replaced - maybe. And when a corporate merger
renumbers networks. Or if you're a small operator and don't own your IP
addresses, when you change ISPs.)
This is also why I emphasized "TRUSTED" in selecting a suitable resolver
for an external process. In any case, using "include" in configurations
can help to modularize/isolate the places where IP addresses are used.
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221206/8c88719f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221206/8c88719f/attachment.sig>
More information about the bind-users
mailing list