On 31.12.2014 22:40, Jan Pazdziora wrote:
> On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote:
>>
>>> endpoints, or their users, should not be trusted to
>>> make updates to DNS zones.  TSIG signed updates from servers are still
>>> preferred over authenticated updates from endpoints or users.
>>
>> Server has identity just like service, just like user. You can have
>> unimportant server and you can have important (admin) user. Ruling
>> out authentication
> 
> ... oops, I seem to have failed to finish this paragraph.
> 
> Ruling out authentication of identities means that you give up on
> centrally controlled access policies -- something that FreeIPA is
> good at, besides just storing identities.
> 
> In other words, instead of having increasing number of shared
> secrets around your network, it might be useful to adopt the
> approach when idenities can get created without many restrictions,
> and what you allow those identities to do is what matters.

Generally I agree with Jan.

If you insist on using TSIG, you can do that manually by editing named.conf on
IPA servers:
http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to