Modified a zone, so when it becomes available?

Kevin Darcy kcd at chrysler.com
Tue Sep 15 14:40:01 UTC 2009


Udo Zumdick wrote:
> One other way I know is to use Dynamic DNS, but it is more complicated and
> (in my opinion) also sort of unsecure.
>
>   
Isn't that kind of like saying modifying a file is "sort of unsecure"?

You don't let random people modify your files without proper 
protections/permissions/processes in place, do you? And if it's a file 
you really care about (e.g. has legal significance, governmental 
significance, or something that directly affects your competitiveness in 
the marketplace), you'd better have a robust auditing/logging regime so 
you can see who changed it how and when. Preferably even some sort of 
"versioning" so you can roll back the file to an earlier version if 
necessary.

Same thing with Dynamic Update in DNS. If you're naive enough to simply 
slap an "allow-update" on your zone(s), specifying IP addresses from 
ranges you don't trust to the n'th degree, then shame on you. That would 
be like having a world-writable file on your public-facing server 
containing sensitive business-critical data.

Here, we only allow Dynamic Updates from the local box (in a few cases) 
or (much more commonly) with a TSIG key. And we don't make that TSIG key 
available to anyone outside of our own little trusted group (3 people) 
directly. Everyone else goes through a fairly elaborate web interface 
with an associated robust Access Control Subsystem, which ultimately 
fetches the appropriate TSIG key behind the scenes when it's time to 
make the actual Dynamic Update to DNS (after a bunch of permissions and 
sanity/consistency checks have been performed).

- Kevin



More information about the bind-users mailing list