Hi Peter! Thanks for the answers.
On 08.02.2017 18:53, Pieter Lexis wrote: >> - If ALIAS is not enabled, will PDNS just ignore these records? > ALIAS is always "enabled". When we encounter an ALIAS record for the name > queried, it is expanded. So, there is no means to disable ALIAS? Then this is IMO a bug. We use PowerDNS to slave zones from our customers. When now one of these customers put in an ALIAS, the customer can inject DNS queries in our resolvers. E.g. if there is a day zero in a common resolver software - the untrusted customer could trigger that the resolver resolves a malicious domain and exploit the day zero. This sounds very dangerous to me. Suddenly my resolvers, which were only accessible from within my network, can be used by everybody (at least by all my customers). This is a massive impact should be noted in more details in the changelog, Because up to now I only had to deal with authoritative name server security - but this feature forces me to setup a dedicated resolver for this untrusted resolving-request. Please add a feature to "disable-alias-expanding" and make it default YES if you care about security. >> Any other things I need to know? I am a bit concerned doing potential >> time consuming activities on my name servers. > What do you mean by this? Things like above. Thanks Klaus _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
