Bind8 Dynamic DNS How-To?
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jun 14 19:31:14 UTC 2000
peter at icke-reklam.ipsec.nu wrote:
> Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
> > Jeff Newton wrote:
>
> >>It would seem to me that Win2K boxes aren't the problem here as any
> >>other client with "permission" to send updates could stomp on any
> >>DNS entry.
> >>
> >>Is stronger-authenticated updates in the works for a future Bind
> >>release?
>
> > As I see it, there are two issues -
>
> > 1) Proper authentication of the computer that is sending dynamic DNS
> > updates to the SOA master -- Is that computer the real computer at
> > that IP address, or has someone on another machine spoofed the IP
> > address for the purpose of sending bogus DDNS packets?
>
> > 2) The pre-requisite checks that come with the DDNS packets -- With
> > improper or incomplete pre-requisite checks, even a properly
> > authenticated computer can corrupt a DNS entry via DDNS. One of the
> > reasons for my posting yesterday of my Win2k testing was to show the
> > pre-requisites that MS has built into its Win2k code. I do not agree
> > that the MS pre-requisites are 100% correct. When someone here
> > at Argonne sends mail to hostmaster at anl.gov requesting a DNS
> > update, the DNS administrators here can check the request for any
> > conflicts before we edit the zones. If we find conflicts, we send
> > e-mail back to the requestor asking for clarifications. With
> > DDNS, that manual checking has been converted into the pre-requisite
> > sections of the DDNS packets.
>
> I would like to add a third issue :
> 3) for each entry added by dyndns, remembering which host/source that made it,
> and when that source is decommisioned, remove it's RR's.
>
> This is no easy task, since noone will tell bind whenever a machine is
> switched off for the last time. Without it debris will accumulate in
> the database until manually removed.
>
> A speculation here, is MS-DNS actually removing these entries when their TTL
> times out ? That would (in a way) solve this dilemma. Comments please!
>
Win 2000 DNS has a "scavenging" feature, I believe, which is intended to fix this
problem. But I'm no expert on that product...
- Kevin
More information about the bind-users
mailing list