server statement for a dynamic host
Maximo Ramos
maximo at violadores.org
Sun Apr 8 23:53:51 UTC 2001
Yes, I just found out that!! I was following the docs so literatelly,
so the server statement just associates a key with a server, right? :)
Well, now I have:
key data {
algorithm hmac-md5;
secret "************************";
};
and in my dynamic zone "dyn.domain.org":
update-policy {
grant data wildcard *.dyn.domain.org ANY;
};
So, I supposed it will allow dynamic updates *ONLY* to users having
the "data" key, right? and ANY record.
I guess this is right. Before that I had allow-update { key data ; };
Thanks for your support, man!!!
On Sun, Apr 08, 2001 at 01:31:14PM +0100, Jim Reid wrote:
> >>>>> "Maximo" == Maximo Ramos <maximo at violadores.org> writes:
>
> Maximo> DDNS is up an running in my test server :) however, the
> Maximo> server statement requires an IP!!
>
> Maximo> server ip_addr { bla, bla }
>
> Why? server{} statements have nothing to do with Dynamic DNS.
>
> Maximo> so, if his IP changes, he will try to update the dynamic
> Maximo> zone, can you see the problem?
>
> Not really. If you use TSIG for authentication of the update requests,
> not the client's IP address, the problem goes away. And it's much more
> secure than authentication based on the source IP address which is
> easily forged. Set up a TSIG key and add it to named.conf with a key{}
> statement. Provide an allow-update clause for the dynamic zone which
> limits updates to clients supplying TSIG-signed requests which use
> that key. Pass the TSIG "secret" to the client and have them use that
> in their nsupdate requests. Consult the man page for nsupdate on how
> to do that.
--
----------------------------------------------------
Maximo Ramos
More information about the bind-users
mailing list