Zone update by something other than IP
Kevin Darcy
kcd at daimlerchrysler.com
Thu Apr 7 20:57:58 UTC 2005
Edson Manners wrote:
>Once I upgraded from Bind8 to Bind9 on our Unix Bind server I began to
>get the following error in my logs.
>
>dns1 named[8726]: zone 'zoneA' allows updates by IP address, which is
>insecure
>dns1 named[8726]: zone 'zoneB' allows updates by IP address, which is
>insecure
>dns1 named[8726]: zone 'zoneC' allows updates by IP address, which is
>insecure
>dns1 named[8726]: zone 'zoneD' allows updates by IP address, which is
>insecure
>dns1 named[8726]: zone 'zoneE' allows updates by IP address, which is
>insecure
>
>Upon further inspection I realized that the machines that are doing
>these updates were all windows bind servers. I started looking into
>finding another (more secure) way to allow these machines to update the
>zones on the Unix Bind server.
>
>I ran into DNSSEC and started the key generation stuff (dnssec-keygen),
>added the key to the named.conf file, added the key statement to the
>offending zones and commented out the IP addresses.
>
>key "zoneA" {
> algorithm hmac-md5;
> secret "sfsdfsd.....lMQXEzDapzw==....";
>};
>
>zone "zoneA" {
> type master;
> file "zoneA";
> allow-update {
> key _tcp.fsu-ad.edu;
> //146.201.7.231;
> //146.201.7.232;
> };
>};
>
>When I restart the Unix named server the errors no longer show up so I
>feel I am on the right track. However I cannot figure out for the life
>of me where do I insert the key in the DNS server running on Windows
>Server 2003.
>
Windows Server 2003 does not understand the DNSSEC stuff, nor vanilla
TSIG. Standard BIND does not understand the Microsoft way of
authenticating Dynamic Updates (GSS-TSIG), although the modified BIND
supplied by Lucent in their QIP product supposedly does. So, unless you
happen to be running QIP, you're probably out of luck for now. Maybe the
future will see some convergence in this area.
- Kevin
More information about the bind-users
mailing list