On Thu, Oct 30, 2008 at 10:59:24AM -0700, [EMAIL PROTECTED] wrote: > Kenneth Marshall wrote: >> As you have found out, PowerDNS trusts its backend data completely and >> expects it to be correct. You need to fix your zones and put mechanisms >> in place to prevent the entry of bad data at all -- speaking as someone >> who had their instance brought to its I/O knees by attempted zone >> transfers >> of bad data. I would like nicer behavior, but assuming good data allows >> for >> streamlined processing and much higher performance than assuming bad data. >> In fact, by that reasoning PDNS should stop serving zones once incorrect >> data is found. I think the current behavior is better than not serving >> the data at all. My two cents. >> >> Ken >> > While I agree in general it's OK to trust backends, when PowerDNS is in > 'slave' mode this is riskier. Now you have 100% trust all your backends, > your network connection and some other software on another server. > > In my case PowerDNS already detects the bad data, it just forgets to > cleanup the co-processes. Maybe slave mode isn't PowerDNS's most > advisable/supported feature, but it seems to me it still should handle > error cases gracefully. > I apologize, I cofounded your problems with pdns as a slave with the dirty data in a backend. I agree that this clean-up problem should be fixed to avoid a possible DoS attack vector.
Ken _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users