Bind8 Dynamic DNS How-To?
Barry Finkel
b19141 at achilles.ctd.anl.gov
Wed Jun 14 14:37:53 UTC 2000
Jeff Newton wrote:
>It would seem to me that Win2K boxes aren't the problem here as any
>other client with "permission" to send updates could stomp on any
>DNS entry.
>
>Is stronger-authenticated updates in the works for a future Bind
>release?
As I see it, there are two issues -
1) Proper authentication of the computer that is sending dynamic DNS
updates to the SOA master -- Is that computer the real computer at
that IP address, or has someone on another machine spoofed the IP
address for the purpose of sending bogus DDNS packets?
2) The pre-requisite checks that come with the DDNS packets -- With
improper or incomplete pre-requisite checks, even a properly
authenticated computer can corrupt a DNS entry via DDNS. One of the
reasons for my posting yesterday of my Win2k testing was to show the
pre-requisites that MS has built into its Win2k code. I do not agree
that the MS pre-requisites are 100% correct. When someone here
at Argonne sends mail to hostmaster at anl.gov requesting a DNS
update, the DNS administrators here can check the request for any
conflicts before we edit the zones. If we find conflicts, we send
e-mail back to the requestor asking for clarifications. With
DDNS, that manual checking has been converted into the pre-requisite
sections of the DDNS packets.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-9689
Building 221, Room B236 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4844 IBMMAIL: I1004994
More information about the bind-users
mailing list