[knot-dns-users] Knot DNS 1.3.0-rc5

Johan Ihrén johani at johani.org
Sat Aug 3 17:24:44 CEST 2013


>> Besides, I think it conforms to the standard listed in the thread as
>> we "identify and handle occluded names"
>> and also include occluded names in the AXFR response. Except, we don't
>> but since we don't accept
>> such names into a zonefile in the first place, it is irrelevant to
>> consider whether we would include them
>> or not in the AXFR response. And I believe discarding them falls into
>> the "identify and handle" category.
> 
> I'm happy with this response. As I said, out-of-zone names shouldn't be
> there in the first place, and I can't think of any negative side effects
> of discarding them.

What about NSEC/NSEC3 chains? 

>> I see the point, but I also see a few good cases where it's a good idea to fake
>> the server version/id. Nevertheless, we could accept two (3 for NSID)
>> different types:
>> * boolean on|off - on would fill a default string, off would turn it
>> off (just a convenience)
>> * text "something" - arbitrary string, just like now, even empty text
>> * hexstring - just for the NSID
>> 
>> This would make it convenient to serve both automatic or arbitrary data.
>> Does this sound okay?
> 
> If you can make Knot parse the options as either boolean or strings,
> that would be great. Then we can have on|off for sane defaults, or
> string values for wacky people who want to misreport versions and
> identities for any reason :)

There are cases where having your own version is more than reasonable. Apart from the minimum disclosure case (that would be covered by an "off" switch) it may be that we have our own modifications to the stock releases. Sure, if we're hacking the source we can of course hack the part that specifies the version string...but we all forget about such maintenance while we're chasing the real problem, so being able to just tweak the config to indicate that this is not stock knot-1.3.0 but rather my own derivative version would be helpful.

Johan




More information about the knot-dns-users mailing list