[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind-workers
Subject:    Re: Client address to "external" via UNIX-domain socket
From:       Jan-Piet Mens <jpmens.dns () gmail ! com>
Date:       2011-03-21 8:55:54
Message-ID: 20110321085554.GA79055 () jmbp ! mens ! de
[Download RAW message or body]

Evan,

>   Can you go into more detail about why you need this?

Thinking aloud, ideally, BIND would offer the following capabilities,
when made available to a large number of clients who may update
their zones.

1. Limit the number of total RR in a zone on a per-zone basis. When a
   configured limit is reached, a ddns update is refused. The
   reasoning behind this is to prevent a client DoS'ing a BIND server.
   Something along the lines of

   zone-policy {
     max-records local-ddns none;
     max-records "client1.key.name" 200;
     max-records "client2.client.name" 400;
   };

   I have not fully thought about what consequences that would have,
   e.g. what happens when client1 reaches a limit: may it then delete
   records?

2. Better logging of ddns updates; which client (IP and key name) did
   what, when, etc. (We talked recently about the small patch I
   submitted.)

With machtype external I was hoping to be able to hook up this kind of
functionality, but I now realize I'm on the wrong track.

> > Alternatively, is there a way to prevent updates over UDP? 
> 
> Well, if you're using matchtype external and the policy daemon
> rejects anything that doesn't send an address, that would prevent
> updates over UDP, I guess...

(grins) Yes, hadn't thought of that one. :)

Regards,

        -JP
_______________________________________________
bind-workers mailing list
bind-workers@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-workers
[prev in list] [next in list] [prev in thread] [next in thread]