[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-workers
Subject: Re: Client address to "external" via UNIX-domain socket
From: Jan-Piet Mens <jpmens.dns () gmail ! com>
Date: 2011-03-21 8:55:54
Message-ID: 20110321085554.GA79055 () jmbp ! mens ! de
[Download RAW message or body]
Evan,
> Can you go into more detail about why you need this?
Thinking aloud, ideally, BIND would offer the following capabilities,
when made available to a large number of clients who may update
their zones.
1. Limit the number of total RR in a zone on a per-zone basis. When a
configured limit is reached, a ddns update is refused. The
reasoning behind this is to prevent a client DoS'ing a BIND server.
Something along the lines of
zone-policy {
max-records local-ddns none;
max-records "client1.key.name" 200;
max-records "client2.client.name" 400;
};
I have not fully thought about what consequences that would have,
e.g. what happens when client1 reaches a limit: may it then delete
records?
2. Better logging of ddns updates; which client (IP and key name) did
what, when, etc. (We talked recently about the small patch I
submitted.)
With machtype external I was hoping to be able to hook up this kind of
functionality, but I now realize I'm on the wrong track.
> > Alternatively, is there a way to prevent updates over UDP?
>
> Well, if you're using matchtype external and the policy daemon
> rejects anything that doesn't send an address, that would prevent
> updates over UDP, I guess...
(grins) Yes, hadn't thought of that one. :)
Regards,
-JP
_______________________________________________
bind-workers mailing list
bind-workers@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-workers
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic