On 31.12.2014 22:40, Jan Pazdziora wrote:
> On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote:
>>> endpoints, or their users, should not be trusted to
>>> make updates to DNS zones.  TSIG signed updates from servers are still
>>> preferred over authenticated updates from endpoints or users.
>> Server has identity just like service, just like user. You can have
>> unimportant server and you can have important (admin) user. Ruling
>> out authentication
> ... oops, I seem to have failed to finish this paragraph.
> Ruling out authentication of identities means that you give up on
> centrally controlled access policies -- something that FreeIPA is
> good at, besides just storing identities.
> In other words, instead of having increasing number of shared
> secrets around your network, it might be useful to adopt the
> approach when idenities can get created without many restrictions,
> and what you allow those identities to do is what matters.

Generally I agree with Jan.

If you insist on using TSIG, you can do that manually by editing named.conf on
IPA servers:

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to