doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision 75c0816e8295e180f4bc7f10db3d0d880383bc1c
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<!-- $Id: Bv9ARM.ch07.html,v 1.97 2005/05/13 03:14:10 marka Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Chapter�7.�BIND 9 Security Considerations</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="chapter" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch07"></a>Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="toc">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><b>Table of Contents</b></p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2559345"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          UNIX servers)</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2559421">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2559481">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Access Control Lists (ACLs), are address match lists that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          etc.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Using ACLs allows you to have finer control over who can access
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          your name server, without cluttering up your config files with huge
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          lists of IP addresses.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          control access to your server. Limiting access to your server by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          outside parties can help prevent spoofing and DoS attacks against
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          your server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Here is an example of how to properly apply ACLs:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// Set up an ACL named "bogusnets" that will block RFC1918 space,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// which is commonly used in spoofing attacks.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// Set up an ACL called our-nets. Replace this with the real IP numbers.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl our-nets { x.x.x.x/24; x.x.x.x/21; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceoptions {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  allow-query { our-nets; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  allow-recursion { our-nets; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  blackhole { bogusnets; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  ...
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucezone "example.com" {
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  file "m/example.com";
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce  allow-query { any; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce};
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This allows recursive queries of the server from the outside
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          unless recursion has been previously disabled.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          For more information on how to use ACLs to protect your server,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          see the <span class="emphasis"><em>AUSCERT</em></span> advisory at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<a name="id2559345"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          UNIX servers)</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          On UNIX servers, it is possible to run <span class="acronym">BIND</span> in a <span class="emphasis"><em>chrooted</em></span> environment
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          (<span><strong class="command">chroot()</strong></span>) by specifying the "<code class="option">-t</code>"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          option. This can help improve system security by placing <span class="acronym">BIND</span> in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          a "sandbox", which will limit the damage done if a server is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          compromised.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Another useful feature in the UNIX version of <span class="acronym">BIND</span> is the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Here is an example command line to load <span class="acronym">BIND</span> in a <span><strong class="command">chroot()</strong></span> sandbox,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          user 202:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<a name="id2559421"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            In order for a <span><strong class="command">chroot()</strong></span> environment
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            work properly in a particular directory
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            (for example, <code class="filename">/var/named</code>),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            you will need to set up an environment that includes everything
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <span class="acronym">BIND</span> needs to run.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            From <span class="acronym">BIND</span>'s point of view, <code class="filename">/var/named</code> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the root of the filesystem.  You will need to adjust the values of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            options like
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            for this.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Unlike with earlier versions of BIND, you will typically
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            statically nor install shared libraries under the new root.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            However, depending on your operating system, you may need
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to set up things like
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/dev/zero</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/dev/random</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/dev/log</code>, and/or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">/etc/localtime</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect2" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<a name="id2559481"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Prior to running the <span><strong class="command">named</strong></span> daemon,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            use
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the <span><strong class="command">touch</strong></span> utility (to change file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            access and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            modification times) or the <span><strong class="command">chown</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            utility (to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            set the user id and/or group id) on files
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to which you want <span class="acronym">BIND</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to write.  Note that if the <span><strong class="command">named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            daemon is running as an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            unprivileged user, it will not be able to bind to new restricted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            ports if the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            server is reloaded.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="sect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Access to the dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          update facility should be strictly limited.  In earlier versions of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span class="acronym">BIND</span> the only way to do this was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          based on the IP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          address of the host requesting the update, by listing an IP address
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          network prefix in the <span><strong class="command">allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          zone option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          This method is insecure since the source address of the update UDP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          packet
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          is easily forged.  Also note that if the IP addresses allowed by the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <span><strong class="command">allow-update</strong></span> option include the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          address of a slave
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          server which performs forwarding of dynamic updates, the master can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          trivially attacked by sending the update to the slave, which will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          forward it to the master with its own source IP address causing the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          master to approve it without question.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          For these reasons, we strongly recommend that updates be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          cryptographically authenticated by means of transaction signatures
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          option should
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          list only TSIG key names, not IP addresses or network
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          option can be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          Some sites choose to keep all dynamically updated DNS data
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          in a subdomain and delegate that subdomain to a separate zone. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          way, the top-level zone containing critical data such as the IP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          addresses
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          of public web and mail servers need not allow dynamic update at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          all.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navfooter">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center">�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left" valign="top">Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>