[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:

To: namedroppers@ops.ietf.org
Subject: Re:
From: Kevin Darcy <kcd@daimlerchrysler.com>
Date: Mon, 03 Jun 2002 13:58:34 -0400
References: <8BD7226E07DDFF49AF5EF4030ACE0B7E04569FD0@red-msg-06.redmond.corp.microsoft.com>

Art Shelest wrote:

> Hi:
>
> Secure name resolution question: is there an existing mechanism that
> permits
> configuring DNS server to only resolve name X for authorized clients?
>
> For example, I would like to have www.example.com only be resolvable by
> members of a specific group, and make it "invisible" to others.

I assume by "invisible" you mean that the nameserver responds that the
name doesn't exist, as opposed to REFUSE'ing the query, which would let
the "forbidden" clients know that something is there (?)

You could define those "special" names as zones by themselves, and then
define separate "view"s for the "permitted" versus the
"forbidden" clients. This would require BIND 9, which supports "view".
Note, however, that this would be a lot of work to set up and maintain,
since *every* existing zone on the nameserver would need to be defined and
maintained in each "view" (but you may be able to play
multiple-references-to-the-same-file or $INCLUDE-file games to make your
life easier in this regard...).

- Kevin

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- ``Secure name resolution'' [Re: ]
  - From: Peter Koch <pk@TechFak.Uni-Bielefeld.DE>

References:
- [no subject]
  - From: "Art Shelest" <artshel@microsoft.com>

Prev by Date: RE: Mail-Transmitter RR
Next by Date: ``Secure name resolution'' [Re: ]
Previous by thread: Re:
Next by thread: ``Secure name resolution'' [Re: ]
Index(es):
- Date
- Thread