NSD ACL Plugin

Erik Rozendaal erik at NLnetLabs.nl
Thu Jul 10 13:10:16 UTC 2003 

Colm MacCarthaigh wrote:
> After having enough time to put some finishing touches to an ACL plugin
> for NSD I know have something suitable for looking at. It isnt entirely
> functionaly just yet, but it does compile, load and work to certain
> extent.
> 
> After untarring the source, it needs to be configured as follows:

Is there a place I can get the source? :)

> for example. The current implementation has two main limitations,
> I'm hoping someone may be able to help me rectify these. The plugin
> currently only honours "all" type ACLs, ie you can't block just
> "NS", "MX" .. or whatever queries. This is because I can't find
> an easy way to determine query_type from with the plugin. Is there
> an easy way ?

Not yet.  Right now the class and type of the query are passed explicitly 
to functions that need it inside NSD.  They should be stored in "struct 
query" after the query has been analyzed.  Another problem is that 
currently the query is overwritten with the answer... so by the time your 
plugin is called the original class and type are no longer available :-(

Finally, what do you plan to do when a client issues a query for type "ANY" 
but is not allowed to see MX records?  Filter out the MX records from the 
answer?  Reject the original ANY query?

> Rules are currently not honoured for subzones. So, if you have
> a rule that says:
> 
> 	deny all for example.com from 0.0.0.0/0 
> 
> "host -t any example.com" will be refused by the plugin, but 
> "host -t any www.example.com" will not. 
> 
> Fixing this is a matter of finding out how to get a list of all the records 
> in a particular zone and registering data for each. Since the AXFR code
> must have method of finding out all this data, I'm assuming this will
> be relatively doable. I just havnt figured out how yet. Though the
> plugin has been written with this approach in mind. (see the top of
> nsd_acl_plugin.c). I'd appreciate any insights anyone has to offer in
> this regard.

Probably the easiest way is to use the HEAP_WALK macro in heap.h (which 
redefines RBTREE_WALK in rbtree.h) on interface->nsd->db->heap.  This will 
give you all the domains (not just the ones specific to a zone).

Obviously the internal plugin APIs aren't very well defined yet.  That's 
one reason the plugin support is marked experimental :)  But it will be a 
good thing to make more of the internal functionality of NSD available to 
plugins in a documented manner.  But this will take some time.

Erik

More information about the nsd-users mailing list