On Mon, Dec 29, 2014 at 07:12:26PM -0500, Brendan Kearney wrote:
> On Mon, 2014-12-29 at 16:53 -0500, Dmitri Pal wrote:
> > bind-dyndb-ldap isa back end driver for BIND to get data from an LDAP 
> > storage.
> > The updates are done by BIND. The IPA BIND accepts kerberos based updates.
> > 
> > http://www.freeipa.org/page/FreeIPAv2:Dynamic_updates_with_GSS-TSIG
> this allows for a ticketed client to update DNS records directly, which
> is not a best practice and is a huge security risk.  clients should not
> be able to manipulate DNS zones.

Only if you configure that. But you don't have to grant krb5-self,
you can grant the

        SERVICE\047ipaserver.example....@example.com wildcard * ANY;

and just have the DHCP service call nsupdate -g.

> dynamic updates to DNS zones should come from DHCP, where dynamic
> addressing is managed.  as such, i have directives in DHCP and DNS to
> establish authenticated updates between DHCP and DNS.  for example:
> /etc/named.conf:
> key "dhcp" {
>         algorithm hmac-md5;
>         secret SomeRandomString;
> };

With FreeIPA, Kerberos authentication is really the preferred way
of integrating pieces together because it provides the identity of
the service running the action, not just some shared secret / password.

> because the DHCP daemon is not kerberized, the update policies do not


> i am wondering how to manage DDNS updates from DHCP, where kerberized
> updates are not likely going to happen.

What DHCP software is that and how hard would it be to Kerberize it?

Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to