I agree that TSIG or SIG(0) signed updates are certainly a more desirable approach than allowing updates via address. My DHCP server is setup to sign all of it's updates this way. However, I have AD domain controllers in the environment that don't currently use signed updates. Is there a fairly painless way to convert all the AD machines to signed updates?
TIA, Bob On Fri, Mar 14, 2014 at 12:41 PM, Mark Andrews <ma...@isc.org> wrote: > > If you are going to forward updates use TSIG or SIG(0) to sign the > update and stop worrying about addresses. TSIG and SIG(0) are > billions and billions of times stronger authenticators than a IP > address. > > "allow-update-forwarding { any; };" says forward all updates > regardless of the address they were sent from. > > As for you question. Addresses are not preserved so A doesn't know > it came from E unless the messages are signed. > > Mark > > In message <CAM-YptcevrqfJN0371Zk43gyDt5TiEKusf4EW6=XPvzpwP= > h...@mail.gmail.com> > , Bob McDonald writes: > > > > I want to confirm my understanding of security of DDNS updates. > > > > I have a stealth master "A" feeding slave "B" and "C". > > > > I have allow-update-forwarding { any; } specified on "B" and "C". > > > > If a client "D" presents an update to "B" or "C" it will automatically be > > forwarded to "A". > > > > If "B" or "C" are in the allow-updates ACL on "A" all updates will be > > applied. > > > > If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates > > from "D" will be applied. However an update from "E" presented to "B" or > > "C" will be forwarded but not processed. > > > > Is this correct? > > No. > > > Bob > > > > --001a11337302fad9ea04f49380b0 > > Content-Type: text/html; charset=ISO-8859-1 > > Content-Transfer-Encoding: quoted-printable > > > > <div dir=3D"ltr"><div><div><div><div><div><div><div>I want to confirm my > un= > > derstanding of security of DDNS updates.<br><br></div>I have a stealth > mast= > > er "A" feeding slave "B" and > "C".<br><br></di= > > v> > > I have allow-update-forwarding { any; } specified on "B" and > &quo= > > t;C".<br><br></div>If a client "D" presents an update to > &qu= > > ot;B" or "C" it will automatically be forwarded to > "A&q= > > uot;.<br> > > <br></div>If "B" or "C" are in the allow-updates ACL > on= > > "A" all updates will be applied.<br><br></div>If > "D" i= > > s in the allow-udates ACL on "A" (and not "B" or > "= > > C") the updates from "D" will be applied.=A0 However an > upda= > > te from "E" presented to "B" or "C" will > be f= > > orwarded but not processed.<br> > > <br></div>Is this correct?<br><br></div>Bob<br><br></div> > > > > --001a11337302fad9ea04f49380b0-- > > > > --===============4542560060445475228== > > Content-Type: text/plain; charset="us-ascii" > > MIME-Version: 1.0 > > Content-Transfer-Encoding: 7bit > > Content-Disposition: inline > > > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe > > from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > --===============4542560060445475228==-- > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users