Tuesday, January 19, 2010

New Deadwood snapshot: filter_rfc1918

In private email, someone has expressed interest in sponsoring MaraDNS having the ability to filter out RFC1918 (private) IPs in DNS replies. The reason for this is that it stops potential security problems; see http://crypto.stanford.edu/dns/ for the technical details.

I told the potential sponsor I would do this for free for Deadwood (since I still add security enhancing features to Deadwood at my discretion for free), and gave them a quote for me to add this to MaraDNS 1.4, explaining I would not be able to start until this week because I was planning my wedding last week. They expressed interest in paying me, but have not done so yet. Hopefully, I will get some pocket change implementing this for MaraDNS 1.4; in the meantime, it has been implemented for Deadwood, and can be seen here:


I have implemented and documented this parameter, and have modified all SQA tests to have filter_rfc1918 = 0 in them.

Next: Test this change; not only do I have to make sure this hasn't broken any existing SQA tests, I also have to make a SQA test for this parameter, called filter_rfc1918