New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XFR clients have to be able to query SOA at apex #315
Conversation
Why solve the problem this way? I mean, the logic is correct IMHO, but wouldn't it be easier to just add the address to the |
Part of it is convenience (or user friendliness). Not everybody may know a SOA query is needed for a transfer (or may have forgotten about it or not aware of it while configuring). It is also convenient that the TSIG requirements are copied from provide-xfr. |
I think there's some miscommunication? I meant: automatically add it to the |
Ah, I thought that you meant that the user could configure it herself. My arguments w.r.t. privacy still holds though. We have an extra restriction to allow only TYPE_SOA at the apex queries with the provide-xfr acls, this restriction would not be there if the rules would simply be copied. The extra restriction prevents an on path eavesdropper to see the whole zone by sending queries wit spoofed source IP. I also think the specific debugging message about the match mentioning provide-xfr has value. |
My main concern is that it's executed in the hotpath and the acls are iterated in linear fashion(?) And if TSIG is not required the same party could simple send an AXFR query, which would be much easier than trying to traverse the entire zone with normal queries and guessing? |
But that AXFR would be over TCP, yes? Then the TCP handshake prevents spoofing. It's also not that much in the hotpath. The whole branch is only evaluated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code looks good. The allowed SOA query should help with operations.
Clients that are allowed to transfer a zone because they match a provide-xfr acl, should also be able to query for the SOA at the apex (because such a client does that query before it starts the actual transfer).
This PR allows transfer clients to do a SOA query at the apex, even if queries are blocked for the zone with the
allow-query
option.