Secure Dynamic Update with TSIG on Windows clients?
Ralf Durkee
rd at rd1.net
Tue Jun 20 01:29:35 UTC 2006
Steven Brown wrote:
> Ralf Durkee wrote:
>
>> The recommended solution is to use a TSIG compliant DHCP server on a
>> Unix/Linux system and have the DHCP server send TSIG signed updates.
>>
>
> The problem is I'm doing this for roaming clients so I don't always have
> control over what DHCP server provides the address.
>
>
You may be stuck since MS signature's not TSIG compatible. It sounds
like you want to allow dynamic updates to your DNS from sources that you
don't control, and allow them to updating names to IP addresses of their
choice. Sounds like things would be pretty open to allow unwanted
updates. You might want to think this through, even if the TSIG
signature worked, you'd be trusting a lot. At best the validity of the
updates would be as trustworthy as your least secure laptop, in reality
I think the value of the names would be even less, since they couldn't
be trusted to be used for logging or host resolution.
-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Security Consultant
More information about the bind-users
mailing list