You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by ml...@apache.org on 2013/12/19 02:05:19 UTC

[08/12] git commit: [TS-428] Add proxy.config.dns.validate_query_name to drecords.config doc from Jira notes.

[TS-428] Add proxy.config.dns.validate_query_name to drecords.config doc from Jira notes.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/44a86148
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/44a86148
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/44a86148

Branch: refs/heads/master
Commit: 44a8614853f2d622861aa3ee434b1eb9fe255bb7
Parents: 1b814a7
Author: Miles Libbey <ml...@apache.org>
Authored: Mon Dec 16 14:12:48 2013 -0800
Committer: Miles Libbey <ml...@apache.org>
Committed: Mon Dec 16 14:12:48 2013 -0800

----------------------------------------------------------------------
 doc/reference/configuration/records.config.en.rst | 6 ++++++
 1 file changed, 6 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/44a86148/doc/reference/configuration/records.config.en.rst
----------------------------------------------------------------------
diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst
index fd662c5..353b8e6 100644
--- a/doc/reference/configuration/records.config.en.rst
+++ b/doc/reference/configuration/records.config.en.rst
@@ -1403,6 +1403,12 @@ hostname to ``host_x.y.com``.
    contention on the first worker thread (which otherwise takes on the burden of
    all DNS lookups).
 
+.. ts:cv:: CONFIG proxy.config.dns.validate_query_name INT 0
+
+   When enabled (1) provides additional resilience against DNS forgery (for instance 
+   in DNS Injection attacks), particularly in forward or transparent proxies, but 
+   requires that the resolver populates the queries section of the response properly.
+
 HostDB
 ======

Re: [08/12] git commit: [TS-428] Add proxy.config.dns.validate_query_name to drecords.config doc from Jira notes.

Posted by Igor Galić <i....@brainsware.org>.


----- Original Message -----
> [TS-428] Add proxy.config.dns.validate_query_name to drecords.config doc from
> Jira notes.
> 
> 
> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
> Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/44a86148
> Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/44a86148
> Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/44a86148
> 
> Branch: refs/heads/master
> Commit: 44a8614853f2d622861aa3ee434b1eb9fe255bb7
> Parents: 1b814a7
> Author: Miles Libbey <ml...@apache.org>
> Authored: Mon Dec 16 14:12:48 2013 -0800
> Committer: Miles Libbey <ml...@apache.org>
> Committed: Mon Dec 16 14:12:48 2013 -0800
> 
> ----------------------------------------------------------------------
>  doc/reference/configuration/records.config.en.rst | 6 ++++++
>  1 file changed, 6 insertions(+)
> ----------------------------------------------------------------------
> 
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/44a86148/doc/reference/configuration/records.config.en.rst
> ----------------------------------------------------------------------
> diff --git a/doc/reference/configuration/records.config.en.rst
> b/doc/reference/configuration/records.config.en.rst
> index fd662c5..353b8e6 100644
> --- a/doc/reference/configuration/records.config.en.rst
> +++ b/doc/reference/configuration/records.config.en.rst
> @@ -1403,6 +1403,12 @@ hostname to ``host_x.y.com``.
>     contention on the first worker thread (which otherwise takes on the
>     burden of
>     all DNS lookups).
>  
> +.. ts:cv:: CONFIG proxy.config.dns.validate_query_name INT 0
> +
> +   When enabled (1) provides additional resilience against DNS forgery (for
> instance
> +   in DNS Injection attacks), particularly in forward or transparent
> proxies, but
> +   requires that the resolver populates the queries section of the response
> properly.

What does that mean?

* who/what is the resolver? (we? HostDB? The system? something else)
* what is the queries section
* what qualifies as "properly"

> +
>  HostDB
>  ======
>  
> 
> 

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 8716 7A9F 989B ABD5 100F  4008 F266 55D6 2998 1641