[dns-operations] EDNS and TLDs

Florian Weimer fweimer at redhat.com
Wed Nov 16 13:56:10 UTC 2016

On 11/16/2016 02:21 PM, Bob Harold wrote:
> On Wed, Nov 16, 2016 at 8:00 AM, Florian Weimer <fweimer at redhat.com> wrote:
>> On 10/29/2016 11:06 AM, Phil Regnauld wrote:
>>> Mark Andrews (marka) writes:
>>>> Thanks.  Firewall are the biggest problems at the moment.
>>>         Firewalls in front of DNS servers still puzzle me.
>> If you want to run BIND, a packet filter in front of it currently is the
>> only way to switch off processing of DNS UPDATE messages in BIND, so I can
>> see why people do this.
>> Florian
> Why not just:
>       allow-update { none; };
> in BIND?

BIND will still process the DNS UPDATE messages, so that it can return 
the right response code.

> I would expect that to be not much work processing than what the firewall
> has to do, and less because of the overhead of the firewall.

As far as I know, your configuration change does not disable DNS UPDATE 
processing because BIND determines the UPDATE capability of a view only 
after it has found the view, which requires parsing the packet.

BIND could have a global flag indicating whether any view has UPDATE 
capability, an if it is not set, reject UPDATE messages early.  I'm not 
sure if this change is worth it, or if all DNS UPDATE related bugs have 
been ironed out.


More information about the dns-operations mailing list