SECURE Dynamic DNS
Cricket Liu
cricket at acmebw.com
Tue Jun 1 20:24:37 UTC 1999
> While setting it up I was talking to several people on IRC who ran
> another DNS provider and one of them showed that it is possible to spoof
> the update packet hence makeing it possible for anyone to update the
> dynamic zone as long as they know which IP address to send the update
> packet from.
Yup. Big problem.
> I am looking for a method to protect from this problem, does anyone
> have any ideas.
How about using TSIG-authenticated dynamic updates? BIND 8.2 supports them.
You'd have to configure the key on the updater and the server, and you might
have to write some client code to send a TSIG-signed dynamic update, but
that's all.
cricket
Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com
Attend our next DNS and BIND class! See
www.acmebw.com/training.htm for the
schedule and to register for upcoming
classes.
More information about the bind-users
mailing list