On Fri, Dec 07, 2018 at 02:37:31PM +0000, Chris Thompson wrote:
> On Dec 6 2018, Mukund Sivaraman wrote:
>
> > On Thu, Dec 06, 2018 at 04:29:13PM +0100, p vixie wrote:
> > > It's an error in the specification.
> >
> > Thank you Paul. That clears it. I asked because BIND follows the RFC to
> > the letter, and an admin may see some log messages that are unexpected
> > for an address that's not in the update ACL.
>
> This is actually a (long-standing, if rather mild) security exposure.
> By distinguishing the error codes returned for suitably crafted update
> operations, a client not authorised to even query a zone can determine
> the existence or otherwise of names, RRsets, and even specific RRs with
> guessed rdata, within it.
IIRC BIND checks if a client can query the zone before it proceeds with
the update algorithm. Don't know about other implementations.
Mukund
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
