Bv9ARM.ch07.html revision 21e01d1a464c9b3c694534a5e283bcde361e72bd
76b43e4417bab52e913da39b5f5bc2a130d3f149Timo Sirainen<!--
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen - Copyright (C) 2000-2003 Internet Software Consortium.
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen -
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen - Permission to use, copy, modify, and/or distribute this software for any
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen - purpose with or without fee is hereby granted, provided that the above
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen - copyright notice and this permission notice appear in all copies.
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen -
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen - PERFORMANCE OF THIS SOFTWARE.
f1c46014be33c6e68a676c33f1dd03b1f6d7fd81Timo Sirainen-->
f1c46014be33c6e68a676c33f1dd03b1f6d7fd81Timo Sirainen<!-- $Id$ -->
f1c46014be33c6e68a676c33f1dd03b1f6d7fd81Timo Sirainen<html>
f1c46014be33c6e68a676c33f1dd03b1f6d7fd81Timo Sirainen<head>
f1c46014be33c6e68a676c33f1dd03b1f6d7fd81Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<title>Chapter�7.�BIND 9 Security Considerations</title>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
f1c46014be33c6e68a676c33f1dd03b1f6d7fd81Timo Sirainen</head>
f1c46014be33c6e68a676c33f1dd03b1f6d7fd81Timo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f1c46014be33c6e68a676c33f1dd03b1f6d7fd81Timo Sirainen<div class="navheader">
4429afe7d32bd883a23c10b9e2196dd72a63fe02Timo Sirainen<table width="100%" summary="Navigation header">
4429afe7d32bd883a23c10b9e2196dd72a63fe02Timo Sirainen<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<tr>
4429afe7d32bd883a23c10b9e2196dd72a63fe02Timo Sirainen<td width="20%" align="left">
4429afe7d32bd883a23c10b9e2196dd72a63fe02Timo Sirainen<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<th width="60%" align="center">�</th>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</td>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</tr>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</table>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<hr>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</div>
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen<div class="chapter" lang="en">
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen<div class="titlepage"><div><div><h2 class="title">
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<div class="toc">
b039dabf4c53f72454e795930e7643b6e0e625f9Timo Sirainen<p><b>Table of Contents</b></p>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<dl>
61e84692827b6a64912343f515c984853021483aTimo Sirainen<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2604545"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<dd><dl>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604626">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604685">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen</dl></dd>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen</dl>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen</div>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<div class="sect1" lang="en">
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
61e84692827b6a64912343f515c984853021483aTimo Sirainen<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
61e84692827b6a64912343f515c984853021483aTimo Sirainen<p>
61e84692827b6a64912343f515c984853021483aTimo Sirainen Access Control Lists (ACLs) are address match lists that
61e84692827b6a64912343f515c984853021483aTimo Sirainen you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
a5335779cad1ee1e2a5c38b181eb66eb8ecb809eTimo Sirainen <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
a5335779cad1ee1e2a5c38b181eb66eb8ecb809eTimo Sirainen etc.
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen </p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<p>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen Using ACLs allows you to have finer control over who can access
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen your name server, without cluttering up your config files with huge
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen lists of IP addresses.
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen </p>
d92f33f13830ba23d814342bf3ea8db721a15bb1Timo Sirainen<p>
a5335779cad1ee1e2a5c38b181eb66eb8ecb809eTimo Sirainen It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen control access to your server. Limiting access to your server by
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen outside parties can help prevent spoofing and denial of service (DoS) attacks against
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen your server.
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen </p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<p>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen Here is an example of how to properly apply ACLs:
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen </p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<pre class="programlisting">
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen// Set up an ACL named "bogusnets" that will block
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen// RFC1918 space and some reserved space, which is
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen// commonly used in spoofing attacks.
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainenacl bogusnets {
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen};
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen// Set up an ACL called our-nets. Replace this with the
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen// real IP numbers.
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainenacl our-nets { x.x.x.x/24; x.x.x.x/21; };
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainenoptions {
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen ...
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen ...
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen allow-query { our-nets; };
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen allow-recursion { our-nets; };
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen ...
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen blackhole { bogusnets; };
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen ...
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen};
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainenzone "example.com" {
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen type master;
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen file "m/example.com";
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen allow-query { any; };
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen};
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen</pre>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen This allows recursive queries of the server from the outside
a5335779cad1ee1e2a5c38b181eb66eb8ecb809eTimo Sirainen unless recursion has been previously disabled.
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen </p>
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen</div>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<div class="sect1" lang="en">
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<a name="id2604545"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen</h2></div></div></div>
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen<p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen in a <span class="emphasis"><em>chrooted</em></span> environment (using
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen the <span><strong class="command">chroot()</strong></span> function) by specifying
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
4429afe7d32bd883a23c10b9e2196dd72a63fe02Timo Sirainen This can help improve system security by placing
4429afe7d32bd883a23c10b9e2196dd72a63fe02Timo Sirainen <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
4429afe7d32bd883a23c10b9e2196dd72a63fe02Timo Sirainen the damage done if a server is compromised.
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen </p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen </p>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen user 202:
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen </p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen </p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<div class="sect2" lang="en">
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<div class="titlepage"><div><div><h3 class="title">
19e8adccba16ff419f5675b1575358c2956dce83Timo Sirainen<a name="id2604626"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen<p>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen In order for a <span><strong class="command">chroot</strong></span> environment
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen to
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen work properly in a particular directory
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen (for example, <code class="filename">/var/named</code>),
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen you will need to set up an environment that includes everything
19e8adccba16ff419f5675b1575358c2956dce83Timo Sirainen <acronym class="acronym">BIND</acronym> needs to run.
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen the root of the filesystem. You will need to adjust the values of
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen options like
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen for this.
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen </p>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<p>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen Unlike with earlier versions of BIND, you typically will
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen statically nor install shared libraries under the new root.
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen However, depending on your operating system, you may need
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen to set up things like
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen <code class="filename">/dev/zero</code>,
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen <code class="filename">/dev/random</code>,
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen <code class="filename">/dev/log</code>, and
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen <code class="filename">/etc/localtime</code>.
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen </p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen</div>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<div class="sect2" lang="en">
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<div class="titlepage"><div><div><h3 class="title">
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<a name="id2604685"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen Prior to running the <span><strong class="command">named</strong></span> daemon,
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen use
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen the <span><strong class="command">touch</strong></span> utility (to change file
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen access and
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen modification times) or the <span><strong class="command">chown</strong></span>
d92f33f13830ba23d814342bf3ea8db721a15bb1Timo Sirainen utility (to
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen set the user id and/or group id) on files
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen to which you want <acronym class="acronym">BIND</acronym>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen to write.
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen </p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<h3 class="title">Note</h3>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen Note that if the <span><strong class="command">named</strong></span> daemon is running as an
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen unprivileged user, it will not be able to bind to new restricted
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen ports if the server is reloaded.
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen </div>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</div>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</div>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<div class="sect1" lang="en">
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<p>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen Access to the dynamic
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen update facility should be strictly limited. In earlier versions of
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen <acronym class="acronym">BIND</acronym>, the only way to do this was
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen based on the IP
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen address of the host requesting the update, by listing an IP address
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen or
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen network prefix in the <span><strong class="command">allow-update</strong></span>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen zone option.
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen This method is insecure since the source address of the update UDP
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen packet
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen is easily forged. Also note that if the IP addresses allowed by the
d92f33f13830ba23d814342bf3ea8db721a15bb1Timo Sirainen <span><strong class="command">allow-update</strong></span> option include the
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen address of a slave
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen server which performs forwarding of dynamic updates, the master can
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen be
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen trivially attacked by sending the update to the slave, which will
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen forward it to the master with its own source IP address causing the
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen master to approve it without question.
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen </p>
a5335779cad1ee1e2a5c38b181eb66eb8ecb809eTimo Sirainen<p>
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen For these reasons, we strongly recommend that updates be
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen cryptographically authenticated by means of transaction signatures
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen option should
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen list only TSIG key names, not IP addresses or network
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen option can be used.
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen </p>
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen<p>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen Some sites choose to keep all dynamically-updated DNS data
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen in a subdomain and delegate that subdomain to a separate zone. This
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen way, the top-level zone containing critical data such as the IP
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen addresses
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen of public web and mail servers need not allow dynamic update at
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen all.
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen </p>
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen</div>
18ffea71d9beeec3cc1d400f751926ee72807f62Timo Sirainen</div>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<div class="navfooter">
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<hr>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<table width="100%" summary="Navigation footer">
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen<tr>
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen<td width="40%" align="left">
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen<td width="20%" align="center">�</td>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</td>
0d063ba32aab9637dba6c6e5ae617ec1f69946f0Timo Sirainen</tr>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<tr>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
ef50336eefcb9ba99f73c6af37420eaf8857a39bTimo Sirainen<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</tr>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</table>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</div>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</body>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen</html>
a27e065f1a1f91c7fbdf7c2ea1c387441af0cbb3Timo Sirainen