is DDNS for me?

[Kevin Darcy]

Brad Knowles wrote:

> At 7:00 PM -0400 4/4/01, Kevin Darcy wrote:
>
> >  Um, TSIG-authentication exists today. nsupdate supports it. I use
> >  TSIG-authenticated Dynamic Updates for virtually *all* DNS updates to our
> >  internal DNS (everything except modifications to delegation records, since
> >  the BIND 8 nsupdate doesn't handle them properly).
>
>         Really?  Cool.
>
>         Now, it is my understanding that once a zone is maintained with
> nsupdate, you can't maintain it any other way, so you would want to
> make sure that all DDNS stuff was segregated into its own sub-zone
> (as is recommended today with NT servers wanting to do dynamic
> updates using Microsoft proprietary extensions to the protocol).  Is
> this correct?

(I assume you mean Win2K rather than NT. I'm not aware that NT has any built-in
Dynamic Update capability).Yes, given a normal set of assumptions. But any or
all of the following might be true:

a) maybe you already have secure connections (e.g. IPSEC and/or VPN), so it is
acceptable to trust source IP addresses, or

b) maybe you have segregated the Active Directory stuff in its own namespace, so
you don't really care whether it gets hacked or not (wouldn't hurt anything
else), or

c) maybe you've already converted all of your maintenance systems to use Dynamic
Update (like I have), so, security aside, the Win2K-originating Dynamic Updates,
and Dynamic Updates from other sources, could theoretically co-exist without the
need to delegate any subzones. BIND 9 makes this even more plausible, since it
brings finer-grained control over who can update what.

(BTW, I have it on good authority that one of the BIND-based commercial products
is busy trying to hack GSS-TSIG into BIND).

>         And you probably wouldn't want to hand to someone a TSIG key that
> would allow them to make any and all changes they want to the root of
> your zone, right?

Yepper.


- Kevin