[Pdns-users] Frontend for PowerDNS ?!
Kenneth Marshall
ktm at rice.edu
Thu Dec 20 13:47:44 UTC 2007
On Fri, Dec 21, 2007 at 12:28:34AM +1100, Duane wrote:
> Jan-Piet Mens wrote:
>
> > 2. Disallow adding CNAME and other data. It kills BIND zone transfers ;-)
>
> Why does it? Wouldn't it be better to fix what ever real problem exists
> then glossing over them and denying users full DNS functionality?
>
> For what its worth, I haven't noticed any problems with zone transfers.
>
> --
>
> Best regards,
> Duane
>
FYI,
We were bitten by this problem with our in-house webtool for PDNS as
well. The problem was not a problem with PDNS but with incorrect information
in the zones. The RFC specifically disallows the presence of both a CNAME
and any other record with the same key value. We plugged it with a trigger
in the DB while we patched the webtool. If this happens, the BIND DNS slave
server aborts the zone transfer with an error and tries again, and again,
and again,... Can you say self-imposed DoS three times fast? Another issue
that our in-house tool has that we just noticed, is that it allows mixed-
case on the key value. That turned the PDNS lookups into sequential scans
because there was not a valid index for that lookup. By and large, a tool
like this needs to be very careful about vetting the information provided
before inserting it into the backend DB.
Ken
More information about the Pdns-users
mailing list