Bind8 Dynamic DNS How-To?
Jim Reid
jim at rfc1035.com
Wed Jun 14 17:56:22 UTC 2000
>>>>> "Barry" == Barry Finkel <b19141 at achilles.ctd.anl.gov> writes:
Barry> As I see it, there are two issues -
Barry> 1) Proper authentication of the computer that is sending
Barry> dynamic DNS updates to the SOA master
Indeed. But strong authentication isn't enough: that only proves who
you say you are. There's a need for authorisation and access controls
too. i.e. That some suitably authenticated user is permitted to
perform the update request that they're making. [Yes trusted-W2K-box,
you *really* can change my zone's MX and NS records if you feel like
it...]
Barry> 2) The pre-requisite checks that come with the DDNS packets
Barry> -- With improper or incomplete pre-requisite checks, even a
Barry> properly authenticated computer can corrupt a DNS entry via
Barry> DDNS.
The dynamic updates could also bust the zone by adding an illegal
resource record - an illegal hostname say or perhaps adding another RR
type for a name that already exists as a CNAME. Sigh. Relying on the
source of the dynamic update requests to check for these things and
prevent them is probably optimistic.
More information about the bind-users
mailing list