Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
On 31.12.2014 22:40, Jan Pazdziora wrote: On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote: endpoints, or their users, should not be trusted to make updates to DNS zones. TSIG signed updates from servers are still preferred over authenticated updates from endpoints or users. Server has identity just like service, just like user. You can have unimportant server and you can have important (admin) user. Ruling out authentication ... oops, I seem to have failed to finish this paragraph. Ruling out authentication of identities means that you give up on centrally controlled access policies -- something that FreeIPA is good at, besides just storing identities. In other words, instead of having increasing number of shared secrets around your network, it might be useful to adopt the approach when idenities can get created without many restrictions, and what you allow those identities to do is what matters. Generally I agree with Jan. If you insist on using TSIG, you can do that manually by editing named.conf on IPA servers: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
On Mon, Dec 29, 2014 at 07:12:26PM -0500, Brendan Kearney wrote: On Mon, 2014-12-29 at 16:53 -0500, Dmitri Pal wrote: bind-dyndb-ldap isa back end driver for BIND to get data from an LDAP storage. The updates are done by BIND. The IPA BIND accepts kerberos based updates. http://www.freeipa.org/page/FreeIPAv2:Dynamic_updates_with_GSS-TSIG this allows for a ticketed client to update DNS records directly, which is not a best practice and is a huge security risk. clients should not be able to manipulate DNS zones. Only if you configure that. But you don't have to grant krb5-self, you can grant the SERVICE\047ipaserver.example@example.com wildcard * ANY; and just have the DHCP service call nsupdate -g. dynamic updates to DNS zones should come from DHCP, where dynamic addressing is managed. as such, i have directives in DHCP and DNS to establish authenticated updates between DHCP and DNS. for example: /etc/named.conf: key dhcp { algorithm hmac-md5; secret SomeRandomString; }; With FreeIPA, Kerberos authentication is really the preferred way of integrating pieces together because it provides the identity of the service running the action, not just some shared secret / password. because the DHCP daemon is not kerberized, the update policies do not [...] i am wondering how to manage DDNS updates from DHCP, where kerberized updates are not likely going to happen. What DHCP software is that and how hard would it be to Kerberize it? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
On Wed, 2014-12-31 at 19:06 +0100, Jan Pazdziora wrote: On Mon, Dec 29, 2014 at 07:12:26PM -0500, Brendan Kearney wrote: On Mon, 2014-12-29 at 16:53 -0500, Dmitri Pal wrote: bind-dyndb-ldap isa back end driver for BIND to get data from an LDAP storage. The updates are done by BIND. The IPA BIND accepts kerberos based updates. http://www.freeipa.org/page/FreeIPAv2:Dynamic_updates_with_GSS-TSIG this allows for a ticketed client to update DNS records directly, which is not a best practice and is a huge security risk. clients should not be able to manipulate DNS zones. Only if you configure that. But you don't have to grant krb5-self, you can grant the SERVICE\047ipaserver.example@example.com wildcard * ANY; and just have the DHCP service call nsupdate -g. dynamic updates to DNS zones should come from DHCP, where dynamic addressing is managed. as such, i have directives in DHCP and DNS to establish authenticated updates between DHCP and DNS. for example: /etc/named.conf: key dhcp { algorithm hmac-md5; secret SomeRandomString; }; With FreeIPA, Kerberos authentication is really the preferred way of integrating pieces together because it provides the identity of the service running the action, not just some shared secret / password. because the DHCP daemon is not kerberized, the update policies do not [...] i am wondering how to manage DDNS updates from DHCP, where kerberized updates are not likely going to happen. What DHCP software is that and how hard would it be to Kerberize it? i have played with nsupdate, and it does look like updates will be allowed if i remove the access restriction, but i am losing the authenticity of the update, since the TSIG shared secret signs the update. regardless of authentication, client updates to DNS zones are still a risk and a rogue app or user can still perform direct updates to zones, leading to impersonation/interception of services, denial of service attacks and more. endpoints, or their users, should not be trusted to make updates to DNS zones. TSIG signed updates from servers are still preferred over authenticated updates from endpoints or users. i am using ISC DHCP, and cannot speak to any level of effort required to incorporate Kerberos into the code. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
El mié, 31-12-2014 a las 13:59 -0500, Brendan Kearney escribió: regardless of authentication, client updates to DNS zones are still a risk and a rogue app or user can still perform direct updates to zones, leading to impersonation/interception of services, denial of service attacks and more. endpoints, or their users, should not be trusted to make updates to DNS zones. TSIG signed updates from servers are still preferred over authenticated updates from endpoints or users. Not really. With the default ipa configuration (grant ZONE.COM krb5-self * A) the worst that could do the administrator of a workstation, with access to the host keytab, is point the A record of her workstation to a wrong address. Please note that someone able to read the host keytab (root on the workstation) could simply skip dhcp negotiation and assign to her workstation any address she likes. With the default ipa configuration a workstation can only set _its_ A, and SSHFP records. No less and no more. Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford smime.p7s Description: S/MIME cryptographic signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
On Wed, Dec 31, 2014 at 01:59:32PM -0500, Brendan Kearney wrote: i have played with nsupdate, and it does look like updates will be allowed if i remove the access restriction, but i am losing the authenticity of the update, since the TSIG shared secret signs the update. The goal is not to remove the access restriction. The goal is to use something like update-policy { grant DHCP\047dhcp-server.example@example.com wildcard * ANY; }; create service DHCP/dhcp-server.example@example.com or some similar principal for your DHCP server, retrieve its keytab (possibly with ipa-getkeytab), and then do kinit -kt /the/path/to/the/dhcp/service.keytab nsupdate -g regardless of authentication, client updates to DNS zones are still a risk and a rogue app or user can still perform direct updates to zones, leading to impersonation/interception of services, denial of service attacks and more. In case of your DHCP use case, you certainly might not want to enable the client updates. However, client updates are something different than allowing a particular service (and only that service) to update the zone records. Also, note that how you enable the client updates matter. The wiki page http://www.freeipa.org/page/FreeIPAv2:Dynamic_updates_with_GSS-TSIG suggests grant EXAMPLE.COM krb5-self * A; which means that authenticated host can only change its own A record -- it cannot impersonate another hostname like you suggest. endpoints, or their users, should not be trusted to make updates to DNS zones. TSIG signed updates from servers are still preferred over authenticated updates from endpoints or users. Server has identity just like service, just like user. You can have unimportant server and you can have important (admin) user. Ruling out authentication i am using ISC DHCP, and cannot speak to any level of effort required to incorporate Kerberos into the code. The page http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ shows how ISC DHCP's execute can be used to send the changes to an external command, and that command can include the kinit -kt + nsupdate -g combo. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote: endpoints, or their users, should not be trusted to make updates to DNS zones. TSIG signed updates from servers are still preferred over authenticated updates from endpoints or users. Server has identity just like service, just like user. You can have unimportant server and you can have important (admin) user. Ruling out authentication ... oops, I seem to have failed to finish this paragraph. Ruling out authentication of identities means that you give up on centrally controlled access policies -- something that FreeIPA is good at, besides just storing identities. In other words, instead of having increasing number of shared secrets around your network, it might be useful to adopt the approach when idenities can get created without many restrictions, and what you allow those identities to do is what matters. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
where can i find howto info around setting up bind-dyndb-ldap to accept ddns updates from dhcp? usually, i have a shared key defined in dns and dhcp, and the updates are authenticated. where are the docs for setting this up in bind-dyndb-ldap? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
On 12/29/2014 04:47 PM, Brendan Kearney wrote: where can i find howto info around setting up bind-dyndb-ldap to accept ddns updates from dhcp? usually, i have a shared key defined in dns and dhcp, and the updates are authenticated. where are the docs for setting this up in bind-dyndb-ldap? I am not sure I understand the use case correctly. bind-dyndb-ldap isa back end driver for BIND to get data from an LDAP storage. The updates are done by BIND. The IPA BIND accepts kerberos based updates. http://www.freeipa.org/page/FreeIPAv2:Dynamic_updates_with_GSS-TSIG -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project