running w/ win2k as master and bind8 as slave (was win2k's dns)
Joseph S D Yao
jsdy at cospo.osis.gov
Wed Sep 1 14:01:49 UTC 1999
> But if you do a good job of change management pre-DDNS, how
> can you do a good job of change management post-DDNS??
...
> If I run DDNS and I notice a change that's happened via DDNS,
> I doubt I will ever be able to answer three very important
> security related questions: 1) should that change have been
> allowed? 2) who made that change? 3) why was that change made?
>
> I think DDNS is vaguely scary: it appears to have significant
> security issues because it lacks fine-grain authorization
> control and auditability.
Authorization, yes. For audit, would it help if you had set:
logging {
...
category update { ... };
category security { ... };
category response-checks { ... };
...
};
? [I have yet to check the code to see how much would be audited.]
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list