Bind8 Dynamic DNS How-To?
peter at icke-reklam.ipsec.nu
peter at icke-reklam.ipsec.nu
Wed Jun 14 16:06:43 UTC 2000
Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
> Jeff Newton wrote:
>>It would seem to me that Win2K boxes aren't the problem here as any
>>other client with "permission" to send updates could stomp on any
>>DNS entry.
>>
>>Is stronger-authenticated updates in the works for a future Bind
>>release?
> As I see it, there are two issues -
> 1) Proper authentication of the computer that is sending dynamic DNS
> updates to the SOA master -- Is that computer the real computer at
> that IP address, or has someone on another machine spoofed the IP
> address for the purpose of sending bogus DDNS packets?
> 2) The pre-requisite checks that come with the DDNS packets -- With
> improper or incomplete pre-requisite checks, even a properly
> authenticated computer can corrupt a DNS entry via DDNS. One of the
> reasons for my posting yesterday of my Win2k testing was to show the
> pre-requisites that MS has built into its Win2k code. I do not agree
> that the MS pre-requisites are 100% correct. When someone here
> at Argonne sends mail to hostmaster at anl.gov requesting a DNS
> update, the DNS administrators here can check the request for any
> conflicts before we edit the zones. If we find conflicts, we send
> e-mail back to the requestor asking for clarifications. With
> DDNS, that manual checking has been converted into the pre-requisite
> sections of the DDNS packets.
I would like to add a third issue :
3) for each entry added by dyndns, remembering which host/source that made it,
and when that source is decommisioned, remove it's RR's.
This is no easy task, since noone will tell bind whenever a machine is
switched off for the last time. Without it debris will accumulate in
the database until manually removed.
A speculation here, is MS-DNS actually removing these entries when their TTL
times out ? That would (in a way) solve this dilemma. Comments please!
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory Phone: +1 (630) 252-7277
> 9700 South Cass Avenue Facsimile:+1 (630) 252-9689
> Building 221, Room B236 Internet: BSFinkel at anl.gov
> Argonne, IL 60439-4844 IBMMAIL: I1004994
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
More information about the bind-users
mailing list