From f830737c51b5a05917efcd6638e5dc71f7f97f51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 14 Sep 2022 14:18:32 +0200 Subject: [PATCH] Provide stronger wording about the security of statistics channel Add more text about the importance of properly securing the statistics channel and what is and what is not considered a security vulnerability. (cherry-picked from commit 6869c98d369270e4efbc3ffa0cd21526b32907de) --- doc/arm/reference.rst | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 14c13987cf..f004298564 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -4694,9 +4694,21 @@ If no port is specified, port 80 is used for HTTP channels. The asterisk Attempts to open a statistics channel are restricted by the optional ``allow`` clause. Connections to the statistics channel are permitted based on the ``address_match_list``. If no ``allow`` clause is -present, ``named`` accepts connection attempts from any address; since -the statistics may contain sensitive internal information, it is highly -recommended to restrict the source of connection requests appropriately. +present, ``named`` accepts connection attempts from any address. Since +the statistics may contain sensitive internal information, the source of +connection requests must be restricted appropriately so that only +trusted parties can access the statistics channel. + +Gathering data exposed by the statistics channel locks various subsystems in +``named``, which could slow down query processing if statistics data is +requested too often. + +An issue in the statistics channel would be considered a security issue +only if it could be exploited by unprivileged users circumventing the access +control list. In other words, any issue in the statistics channel that could be +used to access information unavailable otherwise, or to crash ``named``, is +not considered a security issue if it can be avoided through the +use of a secure configuration. If no ``statistics-channels`` statement is present, ``named`` does not open any communication channels.