[nsd-users] allow-notify on localhost

Mark Santcroos mark at NLnetLabs.nl
Tue Sep 18 09:12:08 UTC 2007

Hash: SHA1

Hey Paul,

Thanks for your feedback!

Paul Wouters wrote:
> It would be nice if we could add the line
> 	allow-notify: NOKEY
> to the server: section instead of in each zone: section. Especially, since
> it is a requirement for nsdc update.

We understand how this would make your life "easier".
On the other hand this is not something that is impossible without
changing NSD.

In general we prefer not to add functionality that makes the config file
simpler. It creates more code in NSD (and we have the risk that we end
up creating a full language parser for the config file). So for advanced
config file management we could say use an external macro preprocessor.

The good news is that in this case we consider to create a flag with
limited functionality. We could create a flag in the "server" section,
"allow-localhost-notify" that turns allowing notifies from localhost on.
We will discuss this a bit more internally and let you know what the
concensus is.

> Or even make it implicit to always
> allow this from localhost (f you can't trust localhost, you have more
> problems)

For security reasons, and no really good reasons in favour of it, we
won't make it trust localhost by default.



- --
Mark Santcroos
NLnet Labs

Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the nsd-users mailing list