help me explain

Cuttler, Brian R (HEALTH) brian.cuttler at health.ny.gov
Fri Oct 21 19:59:16 UTC 2016 

Thank you Simon.

In this case it looks like I can remove all zone entries then.

The DHCP server and the dynamic dns master live on the same box and I've established nsupdate keys, and the dns master talks to the slave servers for zone transfers, but I specified masters and allow-transfers, so things are reasonably secure.

If I was on the other side of the FW or in the DMZ it would need to be tighter but I think we are ok this way.

I'll looke to remove the "zone" commands for the dhcpd.conf file, the simpler the better, at least until security issues begin to loom.

Thanks and have a great weekend,
Brian

> -----Original Message-----
> From: dhcp-users [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of
> Simon Hobson
> Sent: Friday, October 21, 2016 3:54 PM
> To: Users of ISC DHCP <dhcp-users at lists.isc.org>
> Subject: Re: help me explain
> 
> ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.
> 
> 
> "Cuttler, Brian R (HEALTH)" <brian.cuttler at health.ny.gov> wrote:
> 
> > I just need one for the cms.wadsworth.org, nuke all of the
> cms<vlannumber>.wadsworth.org ones.
> 
> Yes, but see below ...
> 
> > What about the ones I'd created for the Reverse zones, are those needed
> at all?
> 
> That depends on your setup.
> 
> If your internal DNS is setup with the correct SOA records, AND you aren't
> using signed updates, then you don't need any zone declarations at all. By
> default, the server will look at the SOA record for the zone
> (cms.wadsworth.org or xx.57.10.in-addr.arpa in your case) and get the
> master DNS server from that - then sends the (unsigned) update requests to
> it.
> This does require that the DNS server be setup to accept unsigned updates,
> which in the general case is "unsafe". You could lock it down and just
> accept updates from certain IP addresses - eg if this is a dedicated
> system, with restricted users (so you can trust anyone with access), then
> just accepting updates from "localhost" may be OK.
> 
> But in the general case, you want to restrict the system to signed
> updates. To do this, you need to define each zone in the DHCP server just
> so you can specify the key to be used for each one.
> 
> 
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list