blob: 2239c47250cdd27dfcecf34f8d3a75403321cabd (plain
# Log operators BCP
## Outgoing DNS queries
Note that a log will be making an outgoing DNS query for a TXT record for each
call to add-leaf. The name that is being looked up is chosen by the client. The
implementation in sigsum-log-go currently uses the system resolver (it is easy
to add other options).
Operators with a strict policy for what goes out of their systems will have to
allow arbitrary TXT records.
This should not be a problem wrt DoS since it's not a venue for amplification
attacks (the add-leaf request is quite large compared with the DNS request
generated) and generation of excess amounts of outgoing traffic is mitigated by
DNS resolvers performing caching.
Question: would there be any value in adding some restriction for what the name
must be? E.g., what if the left-most part had to be "sigsum"?
* Example: dig -t txt sigsum.rgdd.se
* This would allow stricter filtering than "all TXT records for all names"
which might be useful, but I'm not sure yet. If we did this, I think we
should use a label prefixed by an underscore, f.ex. "_sigsum" to avoid
collisions with natural names.