nsdc update implementation details

Wouter Wijngaards wouter at NLnetLabs.nl
Tue Jul 17 10:48:02 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Koch wrote:
> On Mon, Jul 16, 2007 at 10:26:16AM +0200, Wouter Wijngaards wrote:
> 
>> If a NOTIFY message is sent and it contains the new SOA serial number
>> inside the NOTIFY message (this is what master servers send out), then
>> NSD will query the source IP address if its a master and if not, it will
>> run through the list of masters, in order from the config file,
> 
> shouldn't the slave ignore any NOTIFY messages from non-masters instead?

By default all notify messages are refused. You have to list the masters
and non-masters explicitly to give notify permission.

>> accepting updates, until it gets an update that brings the zone to the
>> new SOA serial number from the NOTIFY. So, if it knows version x is out
>> there, it will keep trying until it gets version x or later.
> 
> So with a single spoofed (or not even that) NOTIFY one could make the slaves
> rapidly query all their masters?

Well, after 3 rounds along the masters it will wait for the zone retry
timeout. And try again.

Use TSIG on the notify messages to combat spoofing.

If you bombard the server with spoofed notify messages, it will poll the
masters even more often; since that will wake it up from the retry wait.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGnJ5ikDLqNwOhpPgRAl7dAJ9fLQYh/WbIB7WwDwp2eCsItJsVewCfat2p
UiedaiWofiP5hFTnRDcJuGA=
=L/8+
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list