Skip to content

Check UPDATE ACLs before creating update events and prerequisites

Up for Discussion:

Versions: all versions at least up to 9.19.6

Current situation

BIND currently follows RFC 2136 almost to the letter:

  • first check query ACL for the target zone (not mentioned in the RFC but makes sense)
  • then check prerequisites (section 3.2)
  • then check update ACL for the target zone (section 3.3)

All of this processing is done in update events, i.e. each incoming UPDATE packet allocates an internal structure which is then processed asynchronously.

Proposal

As a "defense in depth" measure, I think we should first check both ACLs synchronously and only if they match create an asynchronous event. This would:

  • guard read-only servers/zones against bugs in most of UPDATE message processing (namely checking prerequisites)
  • remove need to check quota/allocate event/enqueue events for UPDATEs which would be refused later anyway

Doubts

  • RFC 2136 requires this order.
  • Counterargument: PowerDNS and Knot DNS check ACLs first already and the world did not end (yet?).

See also #3523 (closed)

Edited by Michał Kępień
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information