Bind8 Dynamic DNS How-To?

peter at icke-reklam.ipsec.nu peter at icke-reklam.ipsec.nu
Wed Jun 14 16:06:43 UTC 2000 

Barry Finkel <b19141 at achilles.ctd.anl.gov> wrote:
> Jeff Newton wrote:

>>It would seem to me that Win2K boxes aren't the problem here as any
>>other client with "permission" to send updates could stomp on any
>>DNS entry.
>>
>>Is stronger-authenticated updates in the works for a future Bind
>>release?

> As I see it, there are two issues - 

> 1) Proper authentication of the computer that is sending dynamic DNS
>    updates to the SOA master -- Is that computer the real computer at
>    that IP address, or has someone on another machine spoofed the IP 
>    address for the purpose of sending bogus DDNS packets?

> 2) The pre-requisite checks that come with the DDNS packets -- With
>    improper or incomplete pre-requisite checks, even a properly
>    authenticated computer can corrupt a DNS entry via DDNS.  One of the
>    reasons for my posting yesterday of my Win2k testing was to show the
>    pre-requisites that MS has built into its Win2k code.  I do not agree
>    that the MS pre-requisites are 100% correct.  When someone here
>    at Argonne sends mail to hostmaster at anl.gov requesting a DNS
>    update, the DNS administrators here can check the request for any
>    conflicts before we edit the zones.  If we find conflicts, we send
>    e-mail back to the requestor asking for clarifications.  With 
>    DDNS, that manual checking has been converted into the pre-requisite
>    sections of the DDNS packets.

I would like to add a third issue :
3)   for each entry added by dyndns, remembering which host/source that made it,
     and when that source is decommisioned, remove it's RR's.

     This is no easy task, since noone will tell bind whenever a machine is 
     switched off for the last time. Without it debris will accumulate in 
     the database until manually removed.

A speculation here, is MS-DNS actually removing these entries when their TTL 
times out ? That would (in a way) solve this dilemma. Comments please!

> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
> Building 221, Room B236              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4844             IBMMAIL:  I1004994





-- 
Peter Håkanson         
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
	   Remove "icke-reklam" and it works.

More information about the bind-users mailing list