Zone update by something other than IP
Edson Manners
emanners at acns.fsu.edu
Thu Apr 7 15:57:00 UTC 2005
Once I upgraded from Bind8 to Bind9 on our Unix Bind server I began to
get the following error in my logs.
dns1 named[8726]: zone 'zoneA' allows updates by IP address, which is
insecure
dns1 named[8726]: zone 'zoneB' allows updates by IP address, which is
insecure
dns1 named[8726]: zone 'zoneC' allows updates by IP address, which is
insecure
dns1 named[8726]: zone 'zoneD' allows updates by IP address, which is
insecure
dns1 named[8726]: zone 'zoneE' allows updates by IP address, which is
insecure
Upon further inspection I realized that the machines that are doing
these updates were all windows bind servers. I started looking into
finding another (more secure) way to allow these machines to update the
zones on the Unix Bind server.
I ran into DNSSEC and started the key generation stuff (dnssec-keygen),
added the key to the named.conf file, added the key statement to the
offending zones and commented out the IP addresses.
key "zoneA" {
algorithm hmac-md5;
secret "sfsdfsd.....lMQXEzDapzw==....";
};
zone "zoneA" {
type master;
file "zoneA";
allow-update {
key _tcp.fsu-ad.edu;
//146.201.7.231;
//146.201.7.232;
};
};
When I restart the Unix named server the errors no longer show up so I
feel I am on the right track. However I cannot figure out for the life
of me where do I insert the key in the DNS server running on Windows
Server 2003.
Anyone have any experience with this kinda thing?
--
Edson Manners
Academic Computing & Networking Services
Florida State University
Work - (850)644-2591 ext. 144
Cell - (850)251-4067
More information about the bind-users
mailing list