[Pdns-users] query on --out-of-zone-additional-processing

[bert hubert]

On Fri, Feb 11, 2011 at 10:32:45AM +0000, Tom Boland wrote:
>    Do out of zone additional processing. This means that if a malicious
>    user adds a '.com' zone to your server, it is not used for other
>    domains and will not contaminate answers. Do not enable this setting
>    if you run a public DNS service with untrusted users. Off by default.
> 
> """
> 
> My question is this.  The description indicates that setting this to
> yes would prevent malicious use of your public authoritative DNS
> server with untrusted users (such as in our hosting company), but
> then goes on to say that you shouldn't enable this setting if you
> run a public DNS service with untrusted users?  Could someone please
> clarify this?

Hi Tom!

The description is indeed off. It should say:
    If enabled, data from other zones may be included in the additional
    section of answers.  If disabled and a malicious user adds a '.com' zone
    to your server, it is not used to look IP addresses for MX records and
    NS records. Do not enable this setting if you run a public DNS
    service with untrusted users.  Off by default.

However, it turns out that even this is not actually enough, since
'additional-processing' does not include CNAME resolution, and I bet this is
what you are referring to ;-)

So CNAMEs to 'other customer generated records' will still involve 'public
supplied data'. And as we saw yesterday, this can confuse the internet.

Reading the source, it appears that this is not trivial to fix, and may be
post-3.0 ('PowerDNSSEC').

So, thanks for pointing out the error in the documentation, and apologies
that we don't in fact do what you need (right now).

	Bert