Dns-operations mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

As some of you have heard, I have been working on whitelisting functions 
to counter the attacks we have been seeing on the public servers.  I 
believe we have all the tools in place to start using this feature, 
although there is still some issues that need to be resolved.

*** Tools ***
There are two API tools available.  Both require a username and 
authentication key.  This key is not connected to your password, it is a 
randomly-generated string.  If you ever feel this has been compromised, 
you can contact me directly and I will generate a new auth key for you.

T2 operators can log into the members page and you will see a 'wget' 
line that you can use to retrieve an ACL file suitable for BIND. (If any 
other formats are desired, please contact me.)  This file is updated 
every 15 minutes, and contain three sections: opennic_T1 (T1 servers), 
opennic_T2 (T2 servers), and opennic_whitelist (whitelisted users).  I 
may also add a section for opennic_blacklist later on if we need to.

Users can log into the members page and view a similar 'wget' line which 
will register the IP address they are currently using.  There are some 
additional commands that can be performed in this wget statement that 
are not listed...
-- After the user and auth parameters, you may individually specify 
exact IPs that you wish to whitelist.  These may also include netmasks.  
So for example, you may specify a line such as:
?user=<username>&auth=<authkey>&8.8.8.8&4.4.4.4/31
Note there is no variable name specified, the IPs just go directly after 
each & symbol.  Netmasks must be specified in CDIR format.  IPv6 
addresses are also accepted.  If you specify an IP in this manner, the 
IP you are making the call from is NOT included. You may not list more 
than 10 IPs.  The netmask may not be any larger than a /28.

-- You may also purposely delete IPs from the whitelist.   As above, 
specify the IP(s) as part of the URL, but preceed each with a minus (-) 
symbol, like this:
?user=<username>&auth=<authkey>&-8.8.8.8&-4.4.4.4
Note that when you are deleting an IP, you do not need to specify the 
netmask.  ONLY T1 and T2 operators may access this data.  The info 
supplied will only list the actual IP addresses, never any usernames.  
Even so, please keep this information secure to protect our users privacy.

For either of the wget tools, you may also just visit the URL directly 
(you will have to accept the SSL cert warning).  The ACL page is 
formatted with <pre> tags, and the IP update page is plaintext using 
<br> for linefeeds.


*** Issues ***
-- The SSL cert is currently self-signed.  We will get an official cert 
to use when possible.  In the meantime, the "wget 
--no-check-certificate" option is being used to ignore the warning, 
although the data is still encrypted over SSL.
-- The wiki usernames are not directly tied to the LDAP records. This is 
still a work in progress, and we will get this resolved eventually.  If 
your wiki username does not work as a t2operator login, please let me know.
-- There are no T1 operator accounts yet.  If you need one created, let 
me know and I'll give you the procedure to get an account registered.  
T1 operators may wish to use the server list ACLs to control access, 
such as restricting AXFR requests to everything but the root zone?