doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision 9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdff
436aad11e01e916f75e68a2e9cb89ac217a990d3Tinderbox User<!--
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User -
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews - Permission to use, copy, modify, and distribute this software for any
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - purpose with or without fee is hereby granted, provided that the above
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - copyright notice and this permission notice appear in all copies.
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User -
5e047890ac9b745db060d95f7d1b4f876511240dTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
137fdbc214e99c4cbe57551e9e14f2015c2e42aeTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
02b47c5d62e1e827743684c28a08e871da454a2dMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User - PERFORMANCE OF THIS SOFTWARE.
e20309353e6246485c521278131d3fced73d7957Tinderbox User-->
e20309353e6246485c521278131d3fced73d7957Tinderbox User<!-- $Id: Bv9ARM.ch07.html,v 1.188 2009/02/26 01:12:16 tbox Exp $ -->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<html>
9a5217f827ac0e006016745e5305b31dc0c7767fTinderbox User<head>
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<title>Chapter�7.�BIND 9 Security Considerations</title>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
df4ebd8217d02dafc12145b55c4d93d0255d1ec7Tinderbox User<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews</head>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="navheader">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<table width="100%" summary="Navigation header">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<tr>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<td width="20%" align="left">
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<th width="60%" align="center">�</th>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater</td>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater</tr>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt</table>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<hr>
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User</div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<div class="chapter" lang="en">
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<div class="titlepage"><div><div><h2 class="title">
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<div class="toc">
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<p><b>Table of Contents</b></p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dl>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2599004"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dd><dl>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599154">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599282">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater</dl></dd>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater</dl>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater</div>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<div class="sect1" lang="en">
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<p>
e20309353e6246485c521278131d3fced73d7957Tinderbox User          Access Control Lists (ACLs) are address match lists that
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
e20309353e6246485c521278131d3fced73d7957Tinderbox User          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
7feccf248d2a20a2ae48b290f58ded5abc853e9aTinderbox User          etc.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews        </p>
c59750de3ea3c7d5890000fb4606e8f5835a52aaTinderbox User<p>
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater          Using ACLs allows you to have finer control over who can access
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          your name server, without cluttering up your config files with huge
ec7751119a08c6a7250f3187beed69a8b836d349Tinderbox User          lists of IP addresses.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews        </p>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<p>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          control access to your server. Limiting access to your server by
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater          outside parties can help prevent spoofing and denial of service (DoS) attacks against
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          your server.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater        </p>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<p>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews          Here is an example of how to properly apply ACLs:
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater        </p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<pre class="programlisting">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater// Set up an ACL named "bogusnets" that will block RFC1918 space
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater// and some reserved space, which is commonly used in spoofing attacks.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafssonacl bogusnets {
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews};
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User// Set up an ACL called our-nets. Replace this with the real IP numbers.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox Useracl our-nets { x.x.x.x/24; x.x.x.x/21; };
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrewsoptions {
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews  ...
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews  ...
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews  allow-query { our-nets; };
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews  allow-recursion { our-nets; };
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  ...
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User  blackhole { bogusnets; };
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User  ...
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont};
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox Userzone "example.com" {
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User  type master;
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  file "m/example.com";
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews  allow-query { any; };
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews};
24bf1e02f03577db0feb50b80238c4150c96d05dAutomatic Updater</pre>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews          This allows recursive queries of the server from the outside
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User          unless recursion has been previously disabled.
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater        </p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          For more information on how to use ACLs to protect your server,
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User          see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews        </p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p>
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews          <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews        </p>
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews</div>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<div class="sect1" lang="en">
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews<a name="id2599004"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
df4ebd8217d02dafc12145b55c4d93d0255d1ec7Tinderbox User</h2></div></div></div>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<p>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater          in a <span class="emphasis"><em>chrooted</em></span> environment (using
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater          the <span><strong class="command">chroot()</strong></span> function) by specifying
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User          the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User          This can help improve system security by placing
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater          the damage done if a server is compromised.
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater        </p>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<p>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews        </p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<p>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater          user 202:
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater        </p>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater<p>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater        </p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="sect2" lang="en">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User<a name="id2599154"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User<p>
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User            In order for a <span><strong class="command">chroot</strong></span> environment
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User            to
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews            work properly in a particular directory
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User            (for example, <code class="filename">/var/named</code>),
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User            you will need to set up an environment that includes everything
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User            <acronym class="acronym">BIND</acronym> needs to run.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
f132a836c4e386b1af045dd8fe7106ae61b90bffAutomatic Updater            the root of the filesystem.  You will need to adjust the values of
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews            options like
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews            for this.
5f33078b538b3d317917deb962bd057b2a888db1Tinderbox User          </p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<p>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews            Unlike with earlier versions of BIND, you typically will
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater            statically nor install shared libraries under the new root.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater            However, depending on your operating system, you may need
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews            to set up things like
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews            <code class="filename">/dev/zero</code>,
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater            <code class="filename">/dev/random</code>,
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews            <code class="filename">/dev/log</code>, and
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User            <code class="filename">/etc/localtime</code>.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews          </p>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews</div>
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater<div class="sect2" lang="en">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2599282"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater            Prior to running the <span><strong class="command">named</strong></span> daemon,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater            use
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater            the <span><strong class="command">touch</strong></span> utility (to change file
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater            access and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater            modification times) or the <span><strong class="command">chown</strong></span>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews            utility (to
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews            set the user id and/or group id) on files
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater            to which you want <acronym class="acronym">BIND</acronym>
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater            to write.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater          </p>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater<h3 class="title">Note</h3>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater            unprivileged user, it will not be able to bind to new restricted
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater            ports if the server is reloaded.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews          </div>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews</div>
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User</div>
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User<div class="sect1" lang="en">
7262eb86f2b465822206122921e2f357218f0cfdAutomatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater          Access to the dynamic
bbb069be941f649228760edcc241122933c066d2Automatic Updater          update facility should be strictly limited.  In earlier versions of
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater          <acronym class="acronym">BIND</acronym>, the only way to do this was
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater          based on the IP
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          address of the host requesting the update, by listing an IP address
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews          or
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater          network prefix in the <span><strong class="command">allow-update</strong></span>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          zone option.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater          This method is insecure since the source address of the update UDP
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User          packet
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          is easily forged.  Also note that if the IP addresses allowed by the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          <span><strong class="command">allow-update</strong></span> option include the
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews          address of a slave
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          server which performs forwarding of dynamic updates, the master can
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User          be
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews          trivially attacked by sending the update to the slave, which will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater          forward it to the master with its own source IP address causing the
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User          master to approve it without question.
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User        </p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>
a792d42c3cdd6cd4608b936c0a06437b8c2d99ccTinderbox User          For these reasons, we strongly recommend that updates be
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User          cryptographically authenticated by means of transaction signatures
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User          option should
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User          list only TSIG key names, not IP addresses or network
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
0ea1646bf1253f50946ed5e4d3c01c1d2767012bTinderbox User          option can be used.
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews        </p>
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User<p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater          Some sites choose to keep all dynamically-updated DNS data
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater          in a subdomain and delegate that subdomain to a separate zone. This
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater          way, the top-level zone containing critical data such as the IP
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          addresses
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater          of public web and mail servers need not allow dynamic update at
cd6e9010079a4e58f7e30063df3dec0ff154ad59Tinderbox User          all.
a382ca49c874d38ad3ac8995b49f9f27128e4ca9Automatic Updater        </p>
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User</div>
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User</div>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<div class="navfooter">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<hr>
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews<table width="100%" summary="Navigation footer">
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews<tr>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<td width="40%" align="left">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
9174e44c14b1cb91a651fa1dc29470438c246ab9Automatic Updater<td width="20%" align="center">�</td>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
e2caa7536302de34de6cc04025abcd53dc3a499aAutomatic Updater</td>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User</tr>
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews<tr>
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
e31cfd80616deb9781902306b34a69aa7309b6cbTinderbox User</tr>
e31cfd80616deb9781902306b34a69aa7309b6cbTinderbox User</table>
e31cfd80616deb9781902306b34a69aa7309b6cbTinderbox User</div>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews</body>
b109432c3a939bff66a463be86c371bd88efe3aaAutomatic Updater</html>
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater