Re: Logging question about message 'update-security: error: client update denied'
Okay, yeah I am running DHCP on the same server so I'll check its settings. Thanks! On Mon, May 16, 2016 at 6:08 PM, Matthew Pounsett wrote: > > > On 16 May 2016 at 19:03, Josh Nielsen wrote: > >> Thank you for the response Mark. I'm still a little confused at what this >> might mean though. Clearly the originating address is my slave DNS server >> (every single one of the messages say "error: client 10.20.0.101"). >> >> Are you saying that some process other than named on the same server >> (10.20.0.101) is responsible for these messages (and is there a 'for >> instance' of what could do such a thing?), or that somehow other hosts are >> relaying their update requests (again: from what possible processes?) >> through my slave dns server? What can I look for to figure this out on my >> network? >> > > Your DHCP daemon would be one thing that could be generating those > messages. Often it's configured to update the DNS with the addresses it's > handing out (either forward, reverse, or both). > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging question about message 'update-security: error: client update denied'
In message
, Josh
Nielsen writes:
I have a message that has been showing up in my master DNS server's log
over the past few weeks and I am wondering if I can find more verbose
specifics from debugging messages in BIND somehow.
The messsage looks like this:
May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
denied
On 17.05.16 07:24, Mark Andrews wrote:
It a UPDATE request being denied. It will be some process other
than named sending the request unless you have configured named to
forward updates.
In the best of worlds every machine would be updating its own PTR
records and keep its own addresses in the DNS up to date.
depends on the idealness of the world, but I personally don't like allowing
clients to update their DNS records, imho the DHCP server should do those
changes if it assigne the client an IP address
Master (10.20.0.110):
zone "my.domain" in {
type master;
file "db.my.domain";
allow-transfer {
10.20.0.100/32;
10.20.0.101/32;
};
allow-update {
key "xcat_key";
};
notify yes;
also-notify {10.20.0.100; 10.20.0.101;};
};
apparently the client who asks for update does not know the "xcat_key".
...many windows machines tend to register their name in DNS (it's
on by default in netowrk settings).
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging question about message 'update-security: error: client update denied'
On 16 May 2016 at 19:03, Josh Nielsen wrote: > Thank you for the response Mark. I'm still a little confused at what this > might mean though. Clearly the originating address is my slave DNS server > (every single one of the messages say "error: client 10.20.0.101"). > > Are you saying that some process other than named on the same server > (10.20.0.101) is responsible for these messages (and is there a 'for > instance' of what could do such a thing?), or that somehow other hosts are > relaying their update requests (again: from what possible processes?) > through my slave dns server? What can I look for to figure this out on my > network? > Your DHCP daemon would be one thing that could be generating those messages. Often it's configured to update the DNS with the addresses it's handing out (either forward, reverse, or both). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging question about message 'update-security: error: client update denied'
Could it maybe be dhcp related?
On Mon, May 16, 2016 at 6:03 PM, Josh Nielsen
wrote:
> Thank you for the response Mark. I'm still a little confused at what this
> might mean though. Clearly the originating address is my slave DNS server
> (every single one of the messages say "error: client 10.20.0.101").
>
> Are you saying that some process other than named on the same server
> (10.20.0.101) is responsible for these messages (and is there a 'for
> instance' of what could do such a thing?), or that somehow other hosts are
> relaying their update requests (again: from what possible processes?)
> through my slave dns server? What can I look for to figure this out on my
> network?
>
> Thanks in advance for any clarifications.
>
> -Josh
>
> On Mon, May 16, 2016 at 4:24 PM, Mark Andrews wrote:
>
>>
>> In message > fxwgrhl5yssg0ear_fnnpyudzjcdy...@mail.gmail.com>, Josh Nielsen writes:
>> > Hello,
>> >
>> > I have a message that has been showing up in my master DNS server's log
>> > over the past few weeks and I am wondering if I can find more verbose
>> > specifics from debugging messages in BIND somehow.
>> >
>> > The messsage looks like this:
>> >
>> > May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
>> > update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
>> > denied
>>
>> It a UPDATE request being denied. It will be some process other
>> than named sending the request unless you have configured named to
>> forward updates.
>>
>> In the best of worlds every machine would be updating its own PTR
>> records and keep its own addresses in the DNS up to date.
>>
>> Mark
>>
>> > The frequency of the messages is sporadic. Sometime two or three time
>> in an
>> > hour, sometimes once each hour, sometimes 2-3 hours go by before I see
>> one,
>> > but I get multiple a day.
>> >
>> > I take it that this means that for some reason the slave is trying to
>> > update the master with some entry, even though I haven't explicitly set
>> up
>> > my slave server to be capable of doing so (that I know of). I intended
>> to
>> > have the slaves only receive changes coming down from the master but
>> not to
>> > try pushing changes up.
>> >
>> > Here is the zone block for the domain in question in the master and
>> slave
>> > servers' /etc/named.conf:
>> >
>> > Master (10.20.0.110):
>> >
>> > zone "my.domain" in {
>> > type master;
>> > file "db.my.domain";
>> > allow-transfer {
>> > 10.20.0.100/32;
>> > 10.20.0.101/32;
>> > };
>> > allow-update {
>> > key "xcat_key";
>> > };
>> > notify yes;
>> > also-notify {10.20.0.100; 10.20.0.101;};
>> > };
>> >
>> > Slave #2 (10.20.0.101):
>> >
>> > zone "my.domain" in {
>> > type slave;
>> > file "slaves/db.my.domain";
>> > masters {10.20.0.110;};
>> > };
>> >
>> > There are no complaints about Slave #1 in the master's log, though it is
>> > basically a clone of Slave #2. They provide name resolution for a
>> compute
>> > cluster and the cluster nodes point to both of them in their resolv.conf
>> > but in alternating order for load balancing purposes. Is there a way
>> that I
>> > can get more detail of what specifically the DNS slave server is trying
>> to
>> > update the master with (maybe via more verbose output on the slave
>> itself)?
>> >
>> > Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
>> > Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
>> >
>> > Thanks,
>> > Josh
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging question about message 'update-security: error: client update denied'
Thank you for the response Mark. I'm still a little confused at what this
might mean though. Clearly the originating address is my slave DNS server
(every single one of the messages say "error: client 10.20.0.101").
Are you saying that some process other than named on the same server
(10.20.0.101) is responsible for these messages (and is there a 'for
instance' of what could do such a thing?), or that somehow other hosts are
relaying their update requests (again: from what possible processes?)
through my slave dns server? What can I look for to figure this out on my
network?
Thanks in advance for any clarifications.
-Josh
On Mon, May 16, 2016 at 4:24 PM, Mark Andrews wrote:
>
> In message fxwgrhl5yssg0ear_fnnpyudzjcdy...@mail.gmail.com>, Josh Nielsen writes:
> > Hello,
> >
> > I have a message that has been showing up in my master DNS server's log
> > over the past few weeks and I am wondering if I can find more verbose
> > specifics from debugging messages in BIND somehow.
> >
> > The messsage looks like this:
> >
> > May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
> > update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
> > denied
>
> It a UPDATE request being denied. It will be some process other
> than named sending the request unless you have configured named to
> forward updates.
>
> In the best of worlds every machine would be updating its own PTR
> records and keep its own addresses in the DNS up to date.
>
> Mark
>
> > The frequency of the messages is sporadic. Sometime two or three time in
> an
> > hour, sometimes once each hour, sometimes 2-3 hours go by before I see
> one,
> > but I get multiple a day.
> >
> > I take it that this means that for some reason the slave is trying to
> > update the master with some entry, even though I haven't explicitly set
> up
> > my slave server to be capable of doing so (that I know of). I intended to
> > have the slaves only receive changes coming down from the master but not
> to
> > try pushing changes up.
> >
> > Here is the zone block for the domain in question in the master and slave
> > servers' /etc/named.conf:
> >
> > Master (10.20.0.110):
> >
> > zone "my.domain" in {
> > type master;
> > file "db.my.domain";
> > allow-transfer {
> > 10.20.0.100/32;
> > 10.20.0.101/32;
> > };
> > allow-update {
> > key "xcat_key";
> > };
> > notify yes;
> > also-notify {10.20.0.100; 10.20.0.101;};
> > };
> >
> > Slave #2 (10.20.0.101):
> >
> > zone "my.domain" in {
> > type slave;
> > file "slaves/db.my.domain";
> > masters {10.20.0.110;};
> > };
> >
> > There are no complaints about Slave #1 in the master's log, though it is
> > basically a clone of Slave #2. They provide name resolution for a compute
> > cluster and the cluster nodes point to both of them in their resolv.conf
> > but in alternating order for load balancing purposes. Is there a way
> that I
> > can get more detail of what specifically the DNS slave server is trying
> to
> > update the master with (maybe via more verbose output on the slave
> itself)?
> >
> > Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
> > Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
> >
> > Thanks,
> > Josh
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging question about message 'update-security: error: client update denied'
In message
, Josh
Nielsen writes:
> Hello,
>
> I have a message that has been showing up in my master DNS server's log
> over the past few weeks and I am wondering if I can find more verbose
> specifics from debugging messages in BIND somehow.
>
> The messsage looks like this:
>
> May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
> update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
> denied
It a UPDATE request being denied. It will be some process other
than named sending the request unless you have configured named to
forward updates.
In the best of worlds every machine would be updating its own PTR
records and keep its own addresses in the DNS up to date.
Mark
> The frequency of the messages is sporadic. Sometime two or three time in an
> hour, sometimes once each hour, sometimes 2-3 hours go by before I see one,
> but I get multiple a day.
>
> I take it that this means that for some reason the slave is trying to
> update the master with some entry, even though I haven't explicitly set up
> my slave server to be capable of doing so (that I know of). I intended to
> have the slaves only receive changes coming down from the master but not to
> try pushing changes up.
>
> Here is the zone block for the domain in question in the master and slave
> servers' /etc/named.conf:
>
> Master (10.20.0.110):
>
> zone "my.domain" in {
> type master;
> file "db.my.domain";
> allow-transfer {
> 10.20.0.100/32;
> 10.20.0.101/32;
> };
> allow-update {
> key "xcat_key";
> };
> notify yes;
> also-notify {10.20.0.100; 10.20.0.101;};
> };
>
> Slave #2 (10.20.0.101):
>
> zone "my.domain" in {
> type slave;
> file "slaves/db.my.domain";
> masters {10.20.0.110;};
> };
>
> There are no complaints about Slave #1 in the master's log, though it is
> basically a clone of Slave #2. They provide name resolution for a compute
> cluster and the cluster nodes point to both of them in their resolv.conf
> but in alternating order for load balancing purposes. Is there a way that I
> can get more detail of what specifically the DNS slave server is trying to
> update the master with (maybe via more verbose output on the slave itself)?
>
> Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
> Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
>
> Thanks,
> Josh
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Logging question about message 'update-security: error: client update denied'
Hello,
I have a message that has been showing up in my master DNS server's log
over the past few weeks and I am wondering if I can find more verbose
specifics from debugging messages in BIND somehow.
The messsage looks like this:
May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
denied
The frequency of the messages is sporadic. Sometime two or three time in an
hour, sometimes once each hour, sometimes 2-3 hours go by before I see one,
but I get multiple a day.
I take it that this means that for some reason the slave is trying to
update the master with some entry, even though I haven't explicitly set up
my slave server to be capable of doing so (that I know of). I intended to
have the slaves only receive changes coming down from the master but not to
try pushing changes up.
Here is the zone block for the domain in question in the master and slave
servers' /etc/named.conf:
Master (10.20.0.110):
zone "my.domain" in {
type master;
file "db.my.domain";
allow-transfer {
10.20.0.100/32;
10.20.0.101/32;
};
allow-update {
key "xcat_key";
};
notify yes;
also-notify {10.20.0.100; 10.20.0.101;};
};
Slave #2 (10.20.0.101):
zone "my.domain" in {
type slave;
file "slaves/db.my.domain";
masters {10.20.0.110;};
};
There are no complaints about Slave #1 in the master's log, though it is
basically a clone of Slave #2. They provide name resolution for a compute
cluster and the cluster nodes point to both of them in their resolv.conf
but in alternating order for load balancing purposes. Is there a way that I
can get more detail of what specifically the DNS slave server is trying to
update the master with (maybe via more verbose output on the slave itself)?
Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
Thanks,
Josh
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Update Security
On Mar 16, 2014, at 3:32 AM, Bob McDonald wrote: > Ok so it's not painless. Do the updates still get forwarded to the master by > the slaves or do I need to have all Windows devices needing update capability > to point at the master? > > TIA, > > Bob I don't believe it works with update forwarding. I've certainly never gotten it to work. However, Microsoft will send the updates tot he master listed in the SOA record, so as long as that shows your otherwise-hidden master, and firewall access is set up for it, everything should work fine. Regards, Chris Buxton > On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton wrote: > On Mar 14, 2014, at 10:50 AM, Bob McDonald wrote: > > > I agree that TSIG or SIG(0) signed updates are certainly a more desirable > > approach than allowing updates via address. My DHCP server is setup to > > sign all of it's updates this way. However, I have AD domain controllers > > in the environment that don't currently use signed updates. Is there a > > fairly painless way to convert all the AD machines to signed updates? > > You would need to set up GSS-TSIG, which is not painless. (It's certainly > doable, but there are plenty of pitfalls to overcome.) Windows doesn't > support TSIG, just GSS-TSIG. > > AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the > master. > > Regards, > Chris Buxton. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update Security
Signed updates, that is... On Sun, Mar 16, 2014 at 5:32 AM, Bob McDonald wrote: > Ok so it's not painless. Do the updates still get forwarded to the master > by the slaves or do I need to have all Windows devices needing update > capability to point at the master? > > TIA, > > Bob > > > > On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton wrote: > >> On Mar 14, 2014, at 10:50 AM, Bob McDonald wrote: >> >> > I agree that TSIG or SIG(0) signed updates are certainly a more >> desirable approach than allowing updates via address. My DHCP server is >> setup to sign all of it's updates this way. However, I have AD domain >> controllers in the environment that don't currently use signed updates. Is >> there a fairly painless way to convert all the AD machines to signed >> updates? >> >> You would need to set up GSS-TSIG, which is not painless. (It's certainly >> doable, but there are plenty of pitfalls to overcome.) Windows doesn't >> support TSIG, just GSS-TSIG. >> >> AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on >> the master. >> >> Regards, >> Chris Buxton. > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update Security
Ok so it's not painless. Do the updates still get forwarded to the master by the slaves or do I need to have all Windows devices needing update capability to point at the master? TIA, Bob On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton wrote: > On Mar 14, 2014, at 10:50 AM, Bob McDonald wrote: > > > I agree that TSIG or SIG(0) signed updates are certainly a more > desirable approach than allowing updates via address. My DHCP server is > setup to sign all of it's updates this way. However, I have AD domain > controllers in the environment that don't currently use signed updates. Is > there a fairly painless way to convert all the AD machines to signed > updates? > > You would need to set up GSS-TSIG, which is not painless. (It's certainly > doable, but there are plenty of pitfalls to overcome.) Windows doesn't > support TSIG, just GSS-TSIG. > > AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on > the master. > > Regards, > Chris Buxton. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update Security
On Mar 14, 2014, at 10:50 AM, Bob McDonald wrote: > I agree that TSIG or SIG(0) signed updates are certainly a more desirable > approach than allowing updates via address. My DHCP server is setup to sign > all of it's updates this way. However, I have AD domain controllers in the > environment that don't currently use signed updates. Is there a fairly > painless way to convert all the AD machines to signed updates? You would need to set up GSS-TSIG, which is not painless. (It's certainly doable, but there are plenty of pitfalls to overcome.) Windows doesn't support TSIG, just GSS-TSIG. AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the master. Regards, Chris Buxton. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update Security
I agree that TSIG or SIG(0) signed updates are certainly a more desirable
approach than allowing updates via address. My DHCP server is setup to
sign all of it's updates this way. However, I have AD domain controllers
in the environment that don't currently use signed updates. Is there a
fairly painless way to convert all the AD machines to signed updates?
TIA,
Bob
On Fri, Mar 14, 2014 at 12:41 PM, Mark Andrews wrote:
>
> If you are going to forward updates use TSIG or SIG(0) to sign the
> update and stop worrying about addresses. TSIG and SIG(0) are
> billions and billions of times stronger authenticators than a IP
> address.
>
> "allow-update-forwarding { any; };" says forward all updates
> regardless of the address they were sent from.
>
> As for you question. Addresses are not preserved so A doesn't know
> it came from E unless the messages are signed.
>
> Mark
>
> In message h...@mail.gmail.com>
> , Bob McDonald writes:
> >
> > I want to confirm my understanding of security of DDNS updates.
> >
> > I have a stealth master "A" feeding slave "B" and "C".
> >
> > I have allow-update-forwarding { any; } specified on "B" and "C".
> >
> > If a client "D" presents an update to "B" or "C" it will automatically be
> > forwarded to "A".
> >
> > If "B" or "C" are in the allow-updates ACL on "A" all updates will be
> > applied.
> >
> > If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates
> > from "D" will be applied. However an update from "E" presented to "B" or
> > "C" will be forwarded but not processed.
> >
> > Is this correct?
>
> No.
>
> > Bob
> >
> > --001a11337302fad9ea04f49380b0
> > Content-Type: text/html; charset=ISO-8859-1
> > Content-Transfer-Encoding: quoted-printable
> >
> > I want to confirm my
> un=
> > derstanding of security of DDNS updates.I have a stealth
> mast=
> > er "A" feeding slave "B" and
> "C". > v>
> > I have allow-update-forwarding { any; } specified on "B" and
> &quo=
> > t;C".If a client "D" presents an update to
> &qu=
> > ot;B" or "C" it will automatically be forwarded to
> "A&q=
> > uot;.
> > If "B" or "C" are in the allow-updates ACL
> on=
> > "A" all updates will be applied.If
> "D" i=
> > s in the allow-udates ACL on "A" (and not "B" or
> "=
> > C") the updates from "D" will be applied.=A0 However an
> upda=
> > te from "E" presented to "B" or "C" will
> be f=
> > orwarded but not processed.
> > Is this correct?Bob
> >
> > --001a11337302fad9ea04f49380b0--
> >
> > --===4542560060445475228==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe
> > from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> > --===4542560060445475228==--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Update Security
If you are going to forward updates use TSIG or SIG(0) to sign the
update and stop worrying about addresses. TSIG and SIG(0) are
billions and billions of times stronger authenticators than a IP
address.
"allow-update-forwarding { any; };" says forward all updates
regardless of the address they were sent from.
As for you question. Addresses are not preserved so A doesn't know
it came from E unless the messages are signed.
Mark
In message
, Bob McDonald writes:
>
> I want to confirm my understanding of security of DDNS updates.
>
> I have a stealth master "A" feeding slave "B" and "C".
>
> I have allow-update-forwarding { any; } specified on "B" and "C".
>
> If a client "D" presents an update to "B" or "C" it will automatically be
> forwarded to "A".
>
> If "B" or "C" are in the allow-updates ACL on "A" all updates will be
> applied.
>
> If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates
> from "D" will be applied. However an update from "E" presented to "B" or
> "C" will be forwarded but not processed.
>
> Is this correct?
No.
> Bob
>
> --001a11337302fad9ea04f49380b0
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> I want to confirm my un=
> derstanding of security of DDNS updates.I have a stealth mast=
> er "A" feeding slave "B" and "C". v>
> I have allow-update-forwarding { any; } specified on "B" and &quo=
> t;C".If a client "D" presents an update to &qu=
> ot;B" or "C" it will automatically be forwarded to "A&q=
> uot;.
> If "B" or "C" are in the allow-updates ACL on=
> "A" all updates will be applied.If "D" i=
> s in the allow-udates ACL on "A" (and not "B" or "=
> C") the updates from "D" will be applied.=A0 However an upda=
> te from "E" presented to "B" or "C" will be f=
> orwarded but not processed.
> Is this correct?Bob
>
> --001a11337302fad9ea04f49380b0--
>
> --===4542560060445475228==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===4542560060445475228==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Update Security
I want to confirm my understanding of security of DDNS updates.
I have a stealth master "A" feeding slave "B" and "C".
I have allow-update-forwarding { any; } specified on "B" and "C".
If a client "D" presents an update to "B" or "C" it will automatically be
forwarded to "A".
If "B" or "C" are in the allow-updates ACL on "A" all updates will be
applied.
If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates
from "D" will be applied. However an update from "E" presented to "B" or
"C" will be forwarded but not processed.
Is this correct?
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
