[nsd-users] allow-notify on localhost
Mark Santcroos
mark at NLnetLabs.nl
Tue Sep 18 09:12:08 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Paul,
Thanks for your feedback!
Paul Wouters wrote:
> It would be nice if we could add the line
>
> allow-notify: 127.0.0.1 NOKEY
>
> to the server: section instead of in each zone: section. Especially, since
> it is a requirement for nsdc update.
We understand how this would make your life "easier".
On the other hand this is not something that is impossible without
changing NSD.
In general we prefer not to add functionality that makes the config file
simpler. It creates more code in NSD (and we have the risk that we end
up creating a full language parser for the config file). So for advanced
config file management we could say use an external macro preprocessor.
The good news is that in this case we consider to create a flag with
limited functionality. We could create a flag in the "server" section,
"allow-localhost-notify" that turns allowing notifies from localhost on.
We will discuss this a bit more internally and let you know what the
concensus is.
> Or even make it implicit to always
> allow this from localhost (f you can't trust localhost, you have more
> problems)
For security reasons, and no really good reasons in favour of it, we
won't make it trust localhost by default.
Regards,
Mark
- --
Mark Santcroos
NLnet Labs
http://www.nlnetlabs.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG75Zovgq6Qtvn644RAtzUAKCgPEdiZjwMCKRYxa6cAA75NEXuKACguxQG
FHCSUFyJD8Y5QazDvOY+lRQ=
=vkFA
-----END PGP SIGNATURE-----
More information about the nsd-users
mailing list