-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
transfer to must include * destination #469
Comments
Yes, we need this. The reason this was not done is that it needs a language that allows you to specify various aspects of networks and/or TSIG keys. It also needs to be similar enough to the (non-specified) language of the rewrite middleware (and maybe other middlewares). @johnbelamaric do you have an idea for a language here? |
Ok, this may be overkill, but as I see it this ties into the policy work we (Infoblox) are doing. This is just another example of policy. We want to be able to create policies that control who can request what. Those policies need to be external from the code for sure, but also possibly from the Corefile itself, allowing them to change at runtime without restarting CoreDNS. Currently the policy work is internal, but we will either be open sourcing it or joining https://openpolicyagent.org and bringing it there. Planning to make that decision ASAP. Some example policy questions could be:
This provides the functionality of RPZ plus way, way more. I currently have an integration here: https://github.com/johnbelamaric/coredns/tree/policy-middleware that integrates with this internal (to-be-open-sourced) prototype policy engine we have. It lets you externalize the policies into YAML files. Right now it is a middleware that allows you to enable checks on a per query basis. In theory it could support all use cases above, though for ACLs we may want something more specialized. This current implementation is a completely external system accessed via gRPC. But we could also embed some of this to allow putting policy definitions into the Corefile and applying them locally without making external calls. Now, that said...we could also consider having a simple policy language internally that can be used across different middleware, while still offering something like this for the more complex use cases. |
Thanks for that update @johnbelamaric. OPA looks nice, but the language (from what I saw) is quite verbose (and powerful). Slight hesitation from my side to include such a framework by default (as opposed to a middleware) as the acl language of CoreDNS. I'll double check what nsd, bind and powerdns use. |
Yes, it's probably best as a middleware. We may want a simple built-in policy middleware that just does basic stuff; then these other things would be used for complex stuff. |
Yes! (Only now I see the light). The lightweight policy stuff also needs to be a middleware, which bascially means the |
Well, we still need specify where and how (tsig or not) to transfer to and from. But the acl business can be moved elsewhere. |
NSD:
(Glanced at some bind stuff as well). The minimum need here is the possibility to specify a key and use that on The main thing to think about is, is it OK to repeat the key's definition or do we need/want it to be named. Corefile:
Or
|
I like this: https://caddyserver.com/docs/ipfilter |
Any update on ACL like stuff for zone transfers? |
No, other than the framework @johnbelamaric mentioned, we didn't make any progress on a small, easy to use DSL for these usecases. |
Well at least it is no longer required to put |
But only for secondary. It's still necessary fir "file" and "auto" middlewares afaik. |
It does work for "file" due to the change in |
Seems like this could be done for auto too right? |
Yes that code is all shared.
…On Aug 31, 2017 21:28, "Michael Grosser" ***@***.***> wrote:
Seems like this could be done for auto too right?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#469 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAVkWw6EsvOCCvmM2WiGmcEDBZuKwO9Rks5sdwl5gaJpZM4LaqTy>
.
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I want to restrict zone transfers (with the file middleware) to specific secondary servers. At the moment I can only allow all servers (* is present in the list) or none (* is not present). The function TransferAllowed in zone.go seems to be incomplete.
I think rewriting it shouldn't be that hard but the TransferTo slice of Zone includes only strings so I have to parse them again. That seems unnecessary. So wouldn't it be better to have a slice of structs with IP, IPNet (to support CIDR notation) and Port?
The text was updated successfully, but these errors were encountered: