Bind8 Dynamic DNS How-To?

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 14 01:03:27 UTC 2000


Jeff Newton wrote:

> It would seem to me that Win2K boxes aren't the problem here as any
> other client with "permission" to send updates could stomp on any
> DNS entry.

If reasonable authentication were available, then it should be possible
to remember the "owner" of each individual name, and prevent non-owners
from altering or deleting it (subject to whatever local policy one
wishes to enforce). But authenticating Win2K clients to BIND is somewhat
UNreasonable: your only choice now, as I understand it, is to
authenticate by IP address. Hardly a solid basis on which to build an
enterprise-strength authorization infrastructure...

> Is stronger-authenticated updates in the works for a future Bind
> release?

Last I heard, ISC and Microsoft were playing an extended game of phone
tag with each other.


- Kevin

> Cheers,
>
> > Jeff Newton wrote:
> >
> > > I've been using Bind 8.2.2 for a while now but I'd like to start
> > > implementing the dynamic DNS features for our many DHCP Windoze
> > > machines.  Plus with Win2K fast approaching.....
> >
> > Prepare to be disappointed. From what I gather, there is no way for
> > Win2K to make strongly-authenticated Dynamic Updates to BIND, and
> > without proper authentication, not only is there the obvious
> security
> > risk, but there's really nothing to stop the Win2K boxes from
> stomping
> > on each other's records (since the server can't really tell one
> client
> > from another). Of course, Microsoft has this problem "solved", as
> long
> > as you use *their* servers for DNS instead of BIND. Yippee.
> >
> >
> > - Kevin
> >
> >
>
> ----
> Jeff Newton
> Security Analyst
> PMC-Sierra Inc.






More information about the bind-users mailing list