From ray@isc.org  Mon May 15 12:56:55 2017
MIME-Version: 1.0
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
content-type: text/plain; charset="utf-8"
Message-ID: <a0d8807a-d590-f5a5-846b-048993b6bc03@isc.org>
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by bugs.isc.org (Postfix) with ESMTP id 5E11E71B5A8 for <bind-suggest@bugs.isc.org>; Mon, 15 May 2017 12:56:55 +0000 (UTC)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id BED9634930F for <bind-suggest@isc.org>; Mon, 15 May 2017 12:56:52 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 84E09160041 for <bind-suggest@isc.org>; Mon, 15 May 2017 12:56:52 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5FF38160071 for <bind-suggest@isc.org>; Mon, 15 May 2017 12:56:52 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id z8kl47mOFUQv for <bind-suggest@isc.org>; Mon, 15 May 2017 12:56:52 +0000 (UTC)
Received: from rays-mbp.local (unknown [195.77.54.1]) by zmx1.isc.org (Postfix) with ESMTPSA id B76C8160041 for <bind-suggest@isc.org>; Mon, 15 May 2017 12:56:51 +0000 (UTC)
Delivered-To: bind-suggest@bugs.isc.org
Subject: Security of dynamic updates
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
Return-Path: <ray@isc.org>
X-Original-To: bind-suggest@bugs.isc.org
Date: Mon, 15 May 2017 14:56:48 +0200
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org
To: bind-suggest@isc.org
Content-Transfer-Encoding: 7bit
From: "Ray Bellis" <ray@isc.org>
X-RT-Original-Encoding: utf-8
X-RT-Interface: Email
Content-Length: 358

Just a straw-man proposal, prompted by what we've just seen at DNS-OARC.

<https://indico.dns-oarc.net/event/26/session/4/contribution/19/material/slides/0.pdf>

I suggest that BIND should default to permitting only TCP transport for
dynamic updates that are only controlled by an IP ACL, unless
deliberately configured otherwise by the administrator.

Ray