Hi Klaus, On Thu, 9 Feb 2017 22:12:07 +0100 Klaus Darilion <[email protected]> wrote:
> On 08.02.2017 18:53, Pieter Lexis wrote: > >> - If ALIAS is not enabled, will PDNS just ignore these records? > > ALIAS is always "enabled". When we encounter an ALIAS record for the name > > queried, it is expanded. > > So, there is no means to disable ALIAS? Then this is IMO a bug. We use > PowerDNS to slave zones from our customers. When now one of these > customers put in an ALIAS, the customer can inject DNS queries in our > resolvers. E.g. if there is a day zero in a common resolver software - > the untrusted customer could trigger that the resolver resolves a > malicious domain and exploit the day zero. > > This sounds very dangerous to me. Suddenly my resolvers, which were only > accessible from within my network, can be used by everybody (at least by > all my customers). This is a massive impact should be noted in more > details in the changelog, Because up to now I only had to deal with > authoritative name server security - but this feature forces me to setup > a dedicated resolver for this untrusted resolving-request. > > Please add a feature to "disable-alias-expanding" and make it default > YES if you care about security. Your comment makes sense, not only from the resolver perspective, but also from the "I don't want my slaves doing any dynamic things"-perspective. Could you file an issue[1] for this so we can track this? Thank you for clarifying, Pieter 1 - https://github.com/PowerDNS/pdns/issues/new -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
