El mié, 31-12-2014 a las 13:59 -0500, Brendan Kearney escribió:

> regardless of authentication, client updates to DNS zones are still a
> risk and a rogue app or user can still perform direct updates to zones,
> leading to impersonation/interception of services, denial of service
> attacks and more.  endpoints, or their users, should not be trusted to
> make updates to DNS zones.  TSIG signed updates from servers are still
> preferred over authenticated updates from endpoints or users.

Not really. With the default ipa configuration (grant ZONE.COM krb5-self
* A) the worst that could do the administrator of a workstation, with
access to the host keytab, is point the A record of her workstation to a
wrong address. 

Please note that someone able to read the host keytab (root on the
workstation) could simply skip dhcp negotiation and assign to her
workstation any address she likes.

With the default ipa configuration a workstation can only set _its_ A,
AAAA and SSHFP records. No less and no more.

Best regards
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to