On Dec 6 2018, Mukund Sivaraman wrote:
On Thu, Dec 06, 2018 at 04:29:13PM +0100, p vixie wrote:
It's an error in the specification.
Thank you Paul. That clears it. I asked because BIND follows the RFC to
the letter, and an admin may see some log messages that are unexpected
for an address that's not in the update ACL.
This is actually a (long-standing, if rather mild) security exposure.
By distinguishing the error codes returned for suitably crafted update
operations, a client not authorised to even query a zone can determine
the existence or otherwise of names, RRsets, and even specific RRs with
guessed rdata, within it.
--
Chris Thompson
Email: [email protected]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
