nameserver A record hijacking.
Kevin Darcy
kcd at daimlerchrysler.com
Fri Jan 25 00:14:59 UTC 2002
Jim Reid wrote:
> >>>>> "Greg" == Greg Robinson <robinson at nospam.no-org.org> writes:
>
> First of all, use a valid email address. The newsgroup is
> bidirectionally gatewayed into a mailing list, bind-users at isc.org.
> It's very silly and anti-social to supply unreplayable email addresses
> in email. And in your case it doesn't prevent spam either.
>
> Greg> Hi, I would like to know how to prevent nsupdate or any DDNS
> Greg> tool from being able to modify an A record, which just
> Greg> happens to be the nameserver A record, or any other static A
> Greg> record I would really really like to keep.
>
> Take a look at update-policy{} in BIND9.2.
update-policy{} is fine if you are fortunate enough to already have a
naming convention in force which allows you to use a wildcard for all of
your "restricted" names, but if you don't, then you're stuck with either
"self" (which is a key-management nightmare) or you have to do a lot of
renaming, and if you're going to do that _anyway_, why not just put all
of the restricted names into their own zone and slap a good old-fashioned
"allow-update" on it?
As I've said before, what update-policy{} badly needs IMO is a rich
regular-expression syntax instead of just simplistic wildcarding. (Yeah,
I know, "patches welcomed", but who has the time?).
- Kevin
More information about the bind-users
mailing list