Update Security

Mark Andrews marka at isc.org
Fri Mar 14 16:41:34 UTC 2014 

If you are going to forward updates use TSIG or SIG(0) to sign the
update and stop worrying about addresses.  TSIG and SIG(0) are
billions and billions of times stronger authenticators than a IP
address.

"allow-update-forwarding { any; };" says forward all updates
regardless of the address they were sent from.

As for you question.  Addresses are not preserved so A doesn't know
it came from E unless the messages are signed.

Mark

In message <CAM-YptcevrqfJN0371Zk43gyDt5TiEKusf4EW6=XPvzpwP=HgQ at mail.gmail.com>
, Bob McDonald writes:
> 
> I want to confirm my understanding of security of DDNS updates.
> 
> I have a stealth master "A" feeding slave "B" and "C".
> 
> I have allow-update-forwarding { any; } specified on "B" and "C".
> 
> If a client "D" presents an update to "B" or "C" it will automatically be
> forwarded to "A".
> 
> If "B" or "C" are in the allow-updates ACL on "A" all updates will be
> applied.
> 
> If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates
> from "D" will be applied.  However an update from "E" presented to "B" or
> "C" will be forwarded but not processed.
> 
> Is this correct?

No.

> Bob
> 
> --001a11337302fad9ea04f49380b0
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr"><div><div><div><div><div><div><div>I want to confirm my un=
> derstanding of security of DDNS updates.<br><br></div>I have a stealth mast=
> er "A" feeding slave "B" and "C".<br><br></di=
> v>
> I have allow-update-forwarding { any; } specified on "B" and &quo=
> t;C".<br><br></div>If a client "D" presents an update to &qu=
> ot;B" or "C" it will automatically be forwarded to "A&q=
> uot;.<br>
> <br></div>If "B" or "C" are in the allow-updates ACL on=
>  "A" all updates will be applied.<br><br></div>If "D" i=
> s in the allow-udates ACL on "A" (and not "B" or "=
> C") the updates from "D" will be applied.=A0 However an upda=
> te from "E" presented to "B" or "C" will be f=
> orwarded but not processed.<br>
> <br></div>Is this correct?<br><br></div>Bob<br><br></div>
> 
> --001a11337302fad9ea04f49380b0--
> 
> --===============4542560060445475228==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============4542560060445475228==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list