Bv9ARM.ch07.html revision 0d00a726fe3c0423fab1d6876e89b69a4afe44e2
13faa91230bde46da937bf33010b9accc5bdeb59sd - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
13faa91230bde46da937bf33010b9accc5bdeb59sd - Copyright (C) 2000-2003 Internet Software Consortium.
13faa91230bde46da937bf33010b9accc5bdeb59sd - Permission to use, copy, modify, and/or distribute this software for any
13faa91230bde46da937bf33010b9accc5bdeb59sd - purpose with or without fee is hereby granted, provided that the above
13faa91230bde46da937bf33010b9accc5bdeb59sd - copyright notice and this permission notice appear in all copies.
13faa91230bde46da937bf33010b9accc5bdeb59sd - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13faa91230bde46da937bf33010b9accc5bdeb59sd - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13faa91230bde46da937bf33010b9accc5bdeb59sd - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13faa91230bde46da937bf33010b9accc5bdeb59sd - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13faa91230bde46da937bf33010b9accc5bdeb59sd - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13faa91230bde46da937bf33010b9accc5bdeb59sd - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
13faa91230bde46da937bf33010b9accc5bdeb59sd - PERFORMANCE OF THIS SOFTWARE.
13faa91230bde46da937bf33010b9accc5bdeb59sd<!-- $Id$ -->
13faa91230bde46da937bf33010b9accc5bdeb59sd<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
13faa91230bde46da937bf33010b9accc5bdeb59sd<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
b64bfe7dc77dc5c5561cdcd10c80b0b550701a24Trang Do<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
13faa91230bde46da937bf33010b9accc5bdeb59sd<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
13faa91230bde46da937bf33010b9accc5bdeb59sd<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
13faa91230bde46da937bf33010b9accc5bdeb59sd<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
13faa91230bde46da937bf33010b9accc5bdeb59sd<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
13faa91230bde46da937bf33010b9accc5bdeb59sd<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
13faa91230bde46da937bf33010b9accc5bdeb59sd<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2607434"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2607584">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2607643">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
13faa91230bde46da937bf33010b9accc5bdeb59sd<div class="titlepage"><div><div><h2 class="title" style="clear: both">
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd Access Control Lists (ACLs) are address match lists that
13faa91230bde46da937bf33010b9accc5bdeb59sd you can set up and nickname for future use in
13faa91230bde46da937bf33010b9accc5bdeb59sd <span><strong class="command">allow-notify</strong></span>, <span><strong class="command">allow-query</strong></span>,
13faa91230bde46da937bf33010b9accc5bdeb59sd <span><strong class="command">allow-query-on</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
13faa91230bde46da937bf33010b9accc5bdeb59sd <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
13faa91230bde46da937bf33010b9accc5bdeb59sd <span><strong class="command">match-clients</strong></span>, etc.
13faa91230bde46da937bf33010b9accc5bdeb59sd Using ACLs allows you to have finer control over who can access
13faa91230bde46da937bf33010b9accc5bdeb59sd your name server, without cluttering up your config files with huge
13faa91230bde46da937bf33010b9accc5bdeb59sd lists of IP addresses.
13faa91230bde46da937bf33010b9accc5bdeb59sd It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
13faa91230bde46da937bf33010b9accc5bdeb59sd control access to your server. Limiting access to your server by
13faa91230bde46da937bf33010b9accc5bdeb59sd outside parties can help prevent spoofing and denial of service
13faa91230bde46da937bf33010b9accc5bdeb59sd (DoS) attacks against your server.
13faa91230bde46da937bf33010b9accc5bdeb59sd ACLs match clients on the basis of up to three characteristics:
13faa91230bde46da937bf33010b9accc5bdeb59sd 1) The client's IP address; 2) the TSIG or SIG(0) key that was
13faa91230bde46da937bf33010b9accc5bdeb59sd used to sign the request, if any; and 3) an address prefix
13faa91230bde46da937bf33010b9accc5bdeb59sd encoded in an EDNS Client Subnet option, if any.
13faa91230bde46da937bf33010b9accc5bdeb59sd Here is an example of ACLs based on client addresses:
13faa91230bde46da937bf33010b9accc5bdeb59sd// Set up an ACL named "bogusnets" that will block
13faa91230bde46da937bf33010b9accc5bdeb59sd// RFC1918 space and some reserved space, which is
13faa91230bde46da937bf33010b9accc5bdeb59sd// commonly used in spoofing attacks.
13faa91230bde46da937bf33010b9accc5bdeb59sdacl bogusnets {
13faa91230bde46da937bf33010b9accc5bdeb59sd// Set up an ACL called our-nets. Replace this with the
13faa91230bde46da937bf33010b9accc5bdeb59sd// real IP numbers.
13faa91230bde46da937bf33010b9accc5bdeb59sd allow-query { our-nets; };
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk allow-recursion { our-nets; };
13faa91230bde46da937bf33010b9accc5bdeb59sd blackhole { bogusnets; };
13faa91230bde46da937bf33010b9accc5bdeb59sd type master;
13faa91230bde46da937bf33010b9accc5bdeb59sd allow-query { any; };
13faa91230bde46da937bf33010b9accc5bdeb59sd This allows authoritative queries for "example.com" from any
13faa91230bde46da937bf33010b9accc5bdeb59sd address, but recursive queries only from the networks specified
25351652d920ae27c5a56c199da581033ce763f6Vuong Nguyen in "our-nets", and no queries at all from the networks
25351652d920ae27c5a56c199da581033ce763f6Vuong Nguyen specified in "bogusnets".
25351652d920ae27c5a56c199da581033ce763f6Vuong Nguyen In addition to network addresses and prefixes, which are
25351652d920ae27c5a56c199da581033ce763f6Vuong Nguyen matched against the source address of the DNS request, ACLs
25351652d920ae27c5a56c199da581033ce763f6Vuong Nguyen may include <code class="option">key</code> elements, which specify the
25351652d920ae27c5a56c199da581033ce763f6Vuong Nguyen name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
13faa91230bde46da937bf33010b9accc5bdeb59sd elements, which specify a network prefix but are only matched
13faa91230bde46da937bf33010b9accc5bdeb59sd if that prefix matches an EDNS client subnet option included
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk in the request.
13faa91230bde46da937bf33010b9accc5bdeb59sd The EDNS Client Subnet (ECS) option is used by a recursive
13faa91230bde46da937bf33010b9accc5bdeb59sd resolver to inform an authoritative name server of the network
13faa91230bde46da937bf33010b9accc5bdeb59sd address block from which the original query was received, enabling
13faa91230bde46da937bf33010b9accc5bdeb59sd authoritative servers to give different answers to the same
13faa91230bde46da937bf33010b9accc5bdeb59sd resolver for different resolver clients. An ACL containing
13faa91230bde46da937bf33010b9accc5bdeb59sd an element of the form
13faa91230bde46da937bf33010b9accc5bdeb59sd <span><strong class="command">ecs <em class="replaceable"><code>prefix</code></em></strong></span>
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk will match if a request arrives in containing an ECS option
13faa91230bde46da937bf33010b9accc5bdeb59sd encoding an address within that prefix. If the request has no
13faa91230bde46da937bf33010b9accc5bdeb59sd ECS option, then "ecs" elements are simply ignored. Addresses
13faa91230bde46da937bf33010b9accc5bdeb59sd in ACLs that are not prefixed with "ecs" are matched only
13faa91230bde46da937bf33010b9accc5bdeb59sd against the source address.
13faa91230bde46da937bf33010b9accc5bdeb59sd When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
13faa91230bde46da937bf33010b9accc5bdeb59sd ACLs can also be used for geographic access restrictions.
13faa91230bde46da937bf33010b9accc5bdeb59sd This is done by specifying an ACL element of the form:
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk <span><strong class="command">geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd The <em class="replaceable"><code>field</code></em> indicates which field
13faa91230bde46da937bf33010b9accc5bdeb59sd to search for a match. Available fields are "country",
13faa91230bde46da937bf33010b9accc5bdeb59sd "region", "city", "continent", "postal" (postal code),
13faa91230bde46da937bf33010b9accc5bdeb59sd "metro" (metro code), "area" (area code), "tz" (timezone),
13faa91230bde46da937bf33010b9accc5bdeb59sd "isp", "org", "asnum", "domain" and "netspeed".
13faa91230bde46da937bf33010b9accc5bdeb59sd <em class="replaceable"><code>value</code></em> is the value to search
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk for within the database. A string may be quoted if it
13faa91230bde46da937bf33010b9accc5bdeb59sd contains spaces or other special characters. If this is
13faa91230bde46da937bf33010b9accc5bdeb59sd an "asnum" search, then the leading "ASNNNN" string can be
13faa91230bde46da937bf33010b9accc5bdeb59sd used, otherwise the full description must be used (e.g.
13faa91230bde46da937bf33010b9accc5bdeb59sd "ASNNNN Example Company Name"). If this is a "country"
13faa91230bde46da937bf33010b9accc5bdeb59sd search and the string is two characters long, then it must
13faa91230bde46da937bf33010b9accc5bdeb59sd be a standard ISO-3166-1 two-letter country code, and if it
13faa91230bde46da937bf33010b9accc5bdeb59sd is three characters long then it must be an ISO-3166-1
13faa91230bde46da937bf33010b9accc5bdeb59sd three-letter country code; otherwise it is the full name
13faa91230bde46da937bf33010b9accc5bdeb59sd of the country. Similarly, if this is a "region" search
13faa91230bde46da937bf33010b9accc5bdeb59sd and the string is two characters long, then it must be a
13faa91230bde46da937bf33010b9accc5bdeb59sd standard two-letter state or province abbreviation;
13faa91230bde46da937bf33010b9accc5bdeb59sd otherwise it is the full name of the state or province.
13faa91230bde46da937bf33010b9accc5bdeb59sd The <em class="replaceable"><code>database</code></em> field indicates which
186d582bd9dbcd38e0aeea49036d47d3426a3536Surya Prakki GeoIP database to search for a match. In most cases this is
13faa91230bde46da937bf33010b9accc5bdeb59sd unnecessary, because most search fields can only be found in
13faa91230bde46da937bf33010b9accc5bdeb59sd a single database. However, searches for country can be
13faa91230bde46da937bf33010b9accc5bdeb59sd answered from the "city", "region", or "country" databases,
13faa91230bde46da937bf33010b9accc5bdeb59sd and searches for region (i.e., state or province) can be
13faa91230bde46da937bf33010b9accc5bdeb59sd answered from the "city" or "region" databases. For these
13faa91230bde46da937bf33010b9accc5bdeb59sd search types, specifying a <em class="replaceable"><code>database</code></em>
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk will force the query to be answered from that database and no
13faa91230bde46da937bf33010b9accc5bdeb59sd other. If <em class="replaceable"><code>database</code></em> is not
13faa91230bde46da937bf33010b9accc5bdeb59sd specified, then these queries will be answered from the "city",
13faa91230bde46da937bf33010b9accc5bdeb59sd database if it is installed, or the "region" database if it is
13faa91230bde46da937bf33010b9accc5bdeb59sd installed, or the "country" database, in that order.
13faa91230bde46da937bf33010b9accc5bdeb59sd By default, if a DNS query includes an EDNS Client Subnet (ECS)
13faa91230bde46da937bf33010b9accc5bdeb59sd option which encodes a non-zero address prefix, then GeoIP ACLs
13faa91230bde46da937bf33010b9accc5bdeb59sd will be matched against that address prefix. Otherwise, they
13faa91230bde46da937bf33010b9accc5bdeb59sd are matched against the source address of the query. To
13faa91230bde46da937bf33010b9accc5bdeb59sd prevent GeoIP ACLs from matching against ECS options, set
13faa91230bde46da937bf33010b9accc5bdeb59sd the <span><strong class="command">geoip-use-ecs</strong></span> to <code class="literal">no</code>.
13faa91230bde46da937bf33010b9accc5bdeb59sd Some example GeoIP ACLs:
13faa91230bde46da937bf33010b9accc5bdeb59sdgeoip country JAP;
13faa91230bde46da937bf33010b9accc5bdeb59sdgeoip db country country Canada;
13faa91230bde46da937bf33010b9accc5bdeb59sdgeoip db region region WA;
13faa91230bde46da937bf33010b9accc5bdeb59sdgeoip city "San Francisco";
13faa91230bde46da937bf33010b9accc5bdeb59sdgeoip region Oklahoma;
13faa91230bde46da937bf33010b9accc5bdeb59sdgeoip postal 95062;
13faa91230bde46da937bf33010b9accc5bdeb59sdgeoip org "Internet Systems Consortium";
67d4b2f88b8e27bb035d67a046d5aad7db3bfc71gk ACLs use a "first-match" logic rather than "best-match":
13faa91230bde46da937bf33010b9accc5bdeb59sd if an address prefix matches an ACL element, then that ACL
13faa91230bde46da937bf33010b9accc5bdeb59sd is considered to have matched even if a later element would
13faa91230bde46da937bf33010b9accc5bdeb59sd have matched more specifically. For example, the ACL
13faa91230bde46da937bf33010b9accc5bdeb59sd <span><strong class="command"> { 10/8; !10.0.0.1; }</strong></span> would actually
13faa91230bde46da937bf33010b9accc5bdeb59sd match a query from 10.0.0.1, because the first element
13faa91230bde46da937bf33010b9accc5bdeb59sd indicated that the query should be accepted, and the second
13faa91230bde46da937bf33010b9accc5bdeb59sd element is ignored.
13faa91230bde46da937bf33010b9accc5bdeb59sd When using "nested" ACLs (that is, ACLs included or referenced
13faa91230bde46da937bf33010b9accc5bdeb59sd within other ACLs), a negative match of a nested ACL will
13faa91230bde46da937bf33010b9accc5bdeb59sd the containing ACL to continue looking for matches. This
13faa91230bde46da937bf33010b9accc5bdeb59sd enables complex ACLs to be constructed, in which multiple
13faa91230bde46da937bf33010b9accc5bdeb59sd client characteristics can be checked at the same time. For
13faa91230bde46da937bf33010b9accc5bdeb59sd example, to construct an ACL which allows queries only when
13faa91230bde46da937bf33010b9accc5bdeb59sd it originates from a particular network <span class="emphasis"><em>and</em></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd only when it is signed with a particular key, use:
13faa91230bde46da937bf33010b9accc5bdeb59sdallow-query { !{ !10/8; any; }; key example; };
13faa91230bde46da937bf33010b9accc5bdeb59sd Within the nested ACL, any address that is
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
13faa91230bde46da937bf33010b9accc5bdeb59sd be rejected, and this will terminate processing of the
13faa91230bde46da937bf33010b9accc5bdeb59sd ACL. Any address that <span class="emphasis"><em>is</em></span> in the 10/8
13faa91230bde46da937bf33010b9accc5bdeb59sd network prefix will be accepted, but this causes a negative
13faa91230bde46da937bf33010b9accc5bdeb59sd match of the nested ACL, so the containing ACL continues
13faa91230bde46da937bf33010b9accc5bdeb59sd processing. The query will then be accepted if it is signed
13faa91230bde46da937bf33010b9accc5bdeb59sd by the key "example", and rejected otherwise. The ACL, then,
13faa91230bde46da937bf33010b9accc5bdeb59sd will only matches when <span class="emphasis"><em>both</em></span> conditions
13faa91230bde46da937bf33010b9accc5bdeb59sd<div class="titlepage"><div><div><h2 class="title" style="clear: both">
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="id2607434"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
13faa91230bde46da937bf33010b9accc5bdeb59sd in a <span class="emphasis"><em>chrooted</em></span> environment (using
13faa91230bde46da937bf33010b9accc5bdeb59sd the <span><strong class="command">chroot()</strong></span> function) by specifying
13faa91230bde46da937bf33010b9accc5bdeb59sd the <code class="option">-t</code> option for <span><strong class="command">named</strong></span>.
13faa91230bde46da937bf33010b9accc5bdeb59sd This can help improve system security by placing
13faa91230bde46da937bf33010b9accc5bdeb59sd <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
13faa91230bde46da937bf33010b9accc5bdeb59sd the damage done if a server is compromised.
13faa91230bde46da937bf33010b9accc5bdeb59sd Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
13faa91230bde46da937bf33010b9accc5bdeb59sd ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
13faa91230bde46da937bf33010b9accc5bdeb59sd We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
13faa91230bde46da937bf33010b9accc5bdeb59sd Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
13faa91230bde46da937bf33010b9accc5bdeb59sd <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
13faa91230bde46da937bf33010b9accc5bdeb59sd <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="id2607584"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd In order for a <span><strong class="command">chroot</strong></span> environment
13faa91230bde46da937bf33010b9accc5bdeb59sd work properly in a particular directory
9c94f155585ea35e938fea603bc227c685223abdCheng Sean Ye (for example, <code class="filename">/var/named</code>),
9c94f155585ea35e938fea603bc227c685223abdCheng Sean Ye you will need to set up an environment that includes everything
13faa91230bde46da937bf33010b9accc5bdeb59sd From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
13faa91230bde46da937bf33010b9accc5bdeb59sd the root of the filesystem. You will need to adjust the values of
13faa91230bde46da937bf33010b9accc5bdeb59sd options like
13faa91230bde46da937bf33010b9accc5bdeb59sd like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
13faa91230bde46da937bf33010b9accc5bdeb59sd Unlike with earlier versions of BIND, you typically will
13faa91230bde46da937bf33010b9accc5bdeb59sd <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd statically nor install shared libraries under the new root.
13faa91230bde46da937bf33010b9accc5bdeb59sd However, depending on your operating system, you may need
13faa91230bde46da937bf33010b9accc5bdeb59sd to set up things like
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="id2607643"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd Prior to running the <span><strong class="command">named</strong></span> daemon,
13faa91230bde46da937bf33010b9accc5bdeb59sd the <span><strong class="command">touch</strong></span> utility (to change file
13faa91230bde46da937bf33010b9accc5bdeb59sd access and
13faa91230bde46da937bf33010b9accc5bdeb59sd modification times) or the <span><strong class="command">chown</strong></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd utility (to
13faa91230bde46da937bf33010b9accc5bdeb59sd to which you want <acronym class="acronym">BIND</acronym>
13faa91230bde46da937bf33010b9accc5bdeb59sd<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
13faa91230bde46da937bf33010b9accc5bdeb59sd Note that if the <span><strong class="command">named</strong></span> daemon is running as an
13faa91230bde46da937bf33010b9accc5bdeb59sd unprivileged user, it will not be able to bind to new restricted
13faa91230bde46da937bf33010b9accc5bdeb59sd ports if the server is reloaded.
13faa91230bde46da937bf33010b9accc5bdeb59sd<div class="titlepage"><div><div><h2 class="title" style="clear: both">
13faa91230bde46da937bf33010b9accc5bdeb59sd<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
13faa91230bde46da937bf33010b9accc5bdeb59sd Access to the dynamic
13faa91230bde46da937bf33010b9accc5bdeb59sd update facility should be strictly limited. In earlier versions of
13faa91230bde46da937bf33010b9accc5bdeb59sd <acronym class="acronym">BIND</acronym>, the only way to do this was
13faa91230bde46da937bf33010b9accc5bdeb59sd based on the IP
13faa91230bde46da937bf33010b9accc5bdeb59sd address of the host requesting the update, by listing an IP address
13faa91230bde46da937bf33010b9accc5bdeb59sd network prefix in the <span><strong class="command">allow-update</strong></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd zone option.
13faa91230bde46da937bf33010b9accc5bdeb59sd This method is insecure since the source address of the update UDP
13faa91230bde46da937bf33010b9accc5bdeb59sd is easily forged. Also note that if the IP addresses allowed by the
13faa91230bde46da937bf33010b9accc5bdeb59sd <span><strong class="command">allow-update</strong></span> option include the
13faa91230bde46da937bf33010b9accc5bdeb59sd address of a slave
13faa91230bde46da937bf33010b9accc5bdeb59sd server which performs forwarding of dynamic updates, the master can
13faa91230bde46da937bf33010b9accc5bdeb59sd trivially attacked by sending the update to the slave, which will
13faa91230bde46da937bf33010b9accc5bdeb59sd forward it to the master with its own source IP address causing the
13faa91230bde46da937bf33010b9accc5bdeb59sd master to approve it without question.
13faa91230bde46da937bf33010b9accc5bdeb59sd For these reasons, we strongly recommend that updates be
13faa91230bde46da937bf33010b9accc5bdeb59sd cryptographically authenticated by means of transaction signatures
13faa91230bde46da937bf33010b9accc5bdeb59sd (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd option should
13faa91230bde46da937bf33010b9accc5bdeb59sd list only TSIG key names, not IP addresses or network
13faa91230bde46da937bf33010b9accc5bdeb59sd prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
13faa91230bde46da937bf33010b9accc5bdeb59sd option can be used.
13faa91230bde46da937bf33010b9accc5bdeb59sd Some sites choose to keep all dynamically-updated DNS data
13faa91230bde46da937bf33010b9accc5bdeb59sd in a subdomain and delegate that subdomain to a separate zone. This
13faa91230bde46da937bf33010b9accc5bdeb59sd way, the top-level zone containing critical data such as the IP
13faa91230bde46da937bf33010b9accc5bdeb59sd of public web and mail servers need not allow dynamic update at
13faa91230bde46da937bf33010b9accc5bdeb59sd<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
13faa91230bde46da937bf33010b9accc5bdeb59sd<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
13faa91230bde46da937bf33010b9accc5bdeb59sd<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
13faa91230bde46da937bf33010b9accc5bdeb59sd<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>