On Saturday 27 November 2004 17:20, [EMAIL PROTECTED] wrote:
> Hello all..
>
> First of all, diamonds 4 ever to Bill for the outstanding work on vegadns.
>
> Second, many gratz to Len for these two patches..
>
> Finally here are (maybe) a list of ideas you might find relevant in order
> to extend the sanity checking ..:
>
> - it would be great to have some options somewhere to allow only senior
> user to be abble to change serial/ttl infos on a domain, if wanted. I
> recently had the case where some user would setup a TTL of "1" as minimum
> TTL and as "1" for every alias.. I doubt that's really RFC friendly..
>
> - on the same idea, check if the TTL of an ALIAS is lower than minimum
> default TTL specified for the domain..
OK, look for the following 2 lines in functions.php. (should be circa line
262, function verify_record) in version 0.9.7 vegadns
// make sure a TTL was given
if($ttl == "") return "no TTL given";
then add
// check that TTL is >= default min for domain
// Get Current SOA information
$q = "select * from records where type='S' and domain_id='".
get_dom_id($name)."' limit 1";
$result = mysql_query($q) or die(mysql_error());
$row = mysql_fetch_array($result);
$soa = parse_soa($row);
if ( $ttl < $soa['minimum'] ) {
return "TTL too small, minimum " . $soa['minimum'] . " allowed";
}
That will stop it.
>
> - i had the case where users thought "TXT" field ment "web redirection"...
> checking if any www.fooo.com or http://www.fooo.com are present in TXT
> fiels (thus denying them) could be great..
There is no check at all for TXT in the function verify_record
but you could insert this into this function:
// verify TXT record
if($type == 'T') {
if( ereg("[\.a-z0-9-]+", strtolower($address)) ) {
return "TXT records can not contain a domain in the address
field";
}
}
This would check if the string contains something that looks like a domain...
>
> - another thing, having a CNAME as base fooo.com Alias seems to bork the
> dns.. means if foo.com > cname > bar.com ... problems to be expected..
> whereas: foo.com > alias > ip ... no problem ...
> maybe a check for having a valid IP not CNAME for default record of the
> domain could be usefull (also check if default A record exists)..
CNAME and A records are already checked for ip. There is no crosschecking, I'm
not too sure about that.
How to identify a default A record, without making too many assumptions about
how someone is organising their dns?
The A record with the least number of dots?
or compare with domain I guess
Perhaps you are giving your users too much slack ;-)
or the permissions cascade needs to be implemented more robustly...
>
> I'm sure more could be said.. i'm just throwing some ideas here ..
Same here
>
> Fact is i lack the skills to provide a good robust patch.. but if you feel
> to add any of the previous ideas, please feel free to do so !
>
> Best regards to all, take care.
>
> R.S.
--
-----------------
Bob Hutchinson
Midwales dot com
-----------------
