How secure is rndc?
Edward Lewis
Ed.Lewis at neustar.biz
Thu Dec 21 19:22:14 UTC 2006
At 17:13 +0100 12/21/06, Marc Haber wrote:
>On Thu, Dec 21, 2006 at 09:39:12AM -0600, Len Conrad wrote:
>> >So people can see whether I just have reloaded or stopped my server. I
>> >do not have a big problem with that.
>>
>> and they can reload or stop your DNS server, too (if they have the key)
>
>If they have the rndc key, they can use rndc. If they have the ssh
>key, they can ssh. Same thing. And of course true.
Yep. 'Cept for one thing. SSH uses asymmetric keys, RNDC uses
symmetric (at least when using TSIG). The implications is that the
RNDC key has to be distributed secretly and if one side is broken
into, the secret of the other side is also broken. (Minor nits in
reality I think, but I've heard these arguments before.
>Additionally, in my understanding, I can limit a key to be only valid
>when used from certain IP addresses.
True. But there are security purists that balk at the notion of
tying any authorization to the source address.
I suppose the question to be answered is why RNDC does not encipher
the payload. I think the answer is export control. There was a time
when it was okay to send signed messages but not encrypted messages
in some parts of the world. I don't know if that is as true now as
maybe 10 years ago.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Dessert - aka Service Pack 1 for lunch.
More information about the bind-users
mailing list