Bind8 Dynamic DNS How-To?

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 14 19:31:14 UTC 2000 

peter at icke-reklam.ipsec.nu wrote:

> Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
> > Jeff Newton wrote:
>
> >>It would seem to me that Win2K boxes aren't the problem here as any
> >>other client with "permission" to send updates could stomp on any
> >>DNS entry.
> >>
> >>Is stronger-authenticated updates in the works for a future Bind
> >>release?
>
> > As I see it, there are two issues -
>
> > 1) Proper authentication of the computer that is sending dynamic DNS
> >    updates to the SOA master -- Is that computer the real computer at
> >    that IP address, or has someone on another machine spoofed the IP
> >    address for the purpose of sending bogus DDNS packets?
>
> > 2) The pre-requisite checks that come with the DDNS packets -- With
> >    improper or incomplete pre-requisite checks, even a properly
> >    authenticated computer can corrupt a DNS entry via DDNS.  One of the
> >    reasons for my posting yesterday of my Win2k testing was to show the
> >    pre-requisites that MS has built into its Win2k code.  I do not agree
> >    that the MS pre-requisites are 100% correct.  When someone here
> >    at Argonne sends mail to hostmaster at anl.gov requesting a DNS
> >    update, the DNS administrators here can check the request for any
> >    conflicts before we edit the zones.  If we find conflicts, we send
> >    e-mail back to the requestor asking for clarifications.  With
> >    DDNS, that manual checking has been converted into the pre-requisite
> >    sections of the DDNS packets.
>
> I would like to add a third issue :
> 3)   for each entry added by dyndns, remembering which host/source that made it,
>      and when that source is decommisioned, remove it's RR's.
>
>      This is no easy task, since noone will tell bind whenever a machine is
>      switched off for the last time. Without it debris will accumulate in
>      the database until manually removed.
>
> A speculation here, is MS-DNS actually removing these entries when their TTL
> times out ? That would (in a way) solve this dilemma. Comments please!
>

Win 2000 DNS has a "scavenging" feature, I believe, which is intended to fix this
problem. But I'm no expert on that product...


- Kevin

More information about the bind-users mailing list