<div dir="ltr"><div><div>I agree that TSIG or SIG(0) signed updates are certainly a more desirable approach than allowing updates via address. My DHCP server is setup to sign all of it's updates this way. However, I have AD domain controllers in the environment that don't currently use signed updates. Is there a fairly painless way to convert all the AD machines to signed updates?<br>
<br></div>TIA,<br><br></div>Bob<br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 14, 2014 at 12:41 PM, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
If you are going to forward updates use TSIG or SIG(0) to sign the<br>
update and stop worrying about addresses. TSIG and SIG(0) are<br>
billions and billions of times stronger authenticators than a IP<br>
address.<br>
<br>
"allow-update-forwarding { any; };" says forward all updates<br>
regardless of the address they were sent from.<br>
<br>
As for you question. Addresses are not preserved so A doesn't know<br>
it came from E unless the messages are signed.<br>
<br>
Mark<br>
<br>
In message <CAM-YptcevrqfJN0371Zk43gyDt5TiEKusf4EW6=XPvzpwP=<a href="mailto:HgQ@mail.gmail.com">HgQ@mail.gmail.com</a>><br>
<div><div class="h5">, Bob McDonald writes:<br>
><br>
> I want to confirm my understanding of security of DDNS updates.<br>
><br>
> I have a stealth master "A" feeding slave "B" and "C".<br>
><br>
> I have allow-update-forwarding { any; } specified on "B" and "C".<br>
><br>
> If a client "D" presents an update to "B" or "C" it will automatically be<br>
> forwarded to "A".<br>
><br>
> If "B" or "C" are in the allow-updates ACL on "A" all updates will be<br>
> applied.<br>
><br>
> If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates<br>
> from "D" will be applied. However an update from "E" presented to "B" or<br>
> "C" will be forwarded but not processed.<br>
><br>
> Is this correct?<br>
<br>
</div></div>No.<br>
<br>
> Bob<br>
><br>
> --001a11337302fad9ea04f49380b0<br>
> Content-Type: text/html; charset=ISO-8859-1<br>
> Content-Transfer-Encoding: quoted-printable<br>
><br>
> <div dir=3D"ltr"><div><div><div><div><div><div><div>I want to confirm my un=<br>
> derstanding of security of DDNS updates.<br><br></div>I have a stealth mast=<br>
> er "A" feeding slave "B" and "C".<br><br></di=<br>
> v><br>
> I have allow-update-forwarding { any; } specified on "B" and &quo=<br>
> t;C".<br><br></div>If a client "D" presents an update to &qu=<br>
> ot;B" or "C" it will automatically be forwarded to "A&q=<br>
> uot;.<br><br>
> <br></div>If "B" or "C" are in the allow-updates ACL on=<br>
> "A" all updates will be applied.<br><br></div>If "D" i=<br>
> s in the allow-udates ACL on "A" (and not "B" or "=<br>
> C") the updates from "D" will be applied.=A0 However an upda=<br>
> te from "E" presented to "B" or "C" will be f=<br>
> orwarded but not processed.<br><br>
> <br></div>Is this correct?<br><br></div>Bob<br><br></div><br>
><br>
> --001a11337302fad9ea04f49380b0--<br>
><br>
> --===============4542560060445475228==<br>
> Content-Type: text/plain; charset="us-ascii"<br>
> MIME-Version: 1.0<br>
> Content-Transfer-Encoding: 7bit<br>
> Content-Disposition: inline<br>
><br>
> _______________________________________________<br>
> Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe<br>
> from this list<br>
><br>
> bind-users mailing list<br>
> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
> --===============4542560060445475228==--<br>
<span class="HOEnZb"><font color="#888888">--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742">+61 2 9871 4742</a> INTERNET: <a href="mailto:marka@isc.org">marka@isc.org</a><br>
</font></span></blockquote></div><br></div>