Bind8 Dynamic DNS How-To?

Barry Finkel b19141 at achilles.ctd.anl.gov
Wed Jun 14 14:37:53 UTC 2000


Jeff Newton wrote:

>It would seem to me that Win2K boxes aren't the problem here as any
>other client with "permission" to send updates could stomp on any
>DNS entry.
>
>Is stronger-authenticated updates in the works for a future Bind
>release?

As I see it, there are two issues - 

1) Proper authentication of the computer that is sending dynamic DNS
   updates to the SOA master -- Is that computer the real computer at
   that IP address, or has someone on another machine spoofed the IP 
   address for the purpose of sending bogus DDNS packets?

2) The pre-requisite checks that come with the DDNS packets -- With
   improper or incomplete pre-requisite checks, even a properly
   authenticated computer can corrupt a DNS entry via DDNS.  One of the
   reasons for my posting yesterday of my Win2k testing was to show the
   pre-requisites that MS has built into its Win2k code.  I do not agree
   that the MS pre-requisites are 100% correct.  When someone here
   at Argonne sends mail to hostmaster at anl.gov requesting a DNS
   update, the DNS administrators here can check the request for any
   conflicts before we edit the zones.  If we find conflicts, we send
   e-mail back to the requestor asking for clarifications.  With 
   DDNS, that manual checking has been converted into the pre-requisite
   sections of the DDNS packets.

----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994




More information about the bind-users mailing list