doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision 605b07cadd58ff1d8f89ddf277451ee87a542f9b
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<!--
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
c78c39caab4cf8b5daefc9c65878f7f5ed3eb7a0Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
f536382c59dd492a14667b753816d920f9981f1cTinderbox User -
ab496cc3df1648e9ad992a87c35c2c0870fdc69dTinderbox User - Permission to use, copy, modify, and distribute this software for any
7c1468ed500356839a4a222517364e6ce18cb1a2Tinderbox User - purpose with or without fee is hereby granted, provided that the above
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User - copyright notice and this permission notice appear in all copies.
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews -
1f4c645185bd8fc70048e0a69eee46193a284e5cTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews-->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id: Bv9ARM.ch07.html,v 1.114 2006/01/29 22:57:16 marka Exp $ -->
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews<html>
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews<head>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<title>Chapter�7.�BIND 9 Security Considerations</title>
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User</head>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<div class="navheader">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<table width="100%" summary="Navigation header">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<tr><th colspan="3" align="center">Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</th></tr>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<tr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="left">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<th width="60%" align="center">�</th>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</td>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User</tr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</table>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<hr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews</div>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<div class="chapter" lang="en">
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<div class="titlepage"><div><div><h2 class="title">
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<a name="Bv9ARM.ch07"></a>Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</h2></div></div></div>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<div class="toc">
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User<p><b>Table of Contents</b></p>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dl>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2573149"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dd><dl>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2573225">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2573353">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User</dl></dd>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User</dl>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater</div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<div class="sect1" lang="en">
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          Access Control Lists (ACLs), are address match lists that
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater          etc.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        </p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User          Using ACLs allows you to have finer control over who can access
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          your name server, without cluttering up your config files with huge
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater          lists of IP addresses.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        </p>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          control access to your server. Limiting access to your server by
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          outside parties can help prevent spoofing and DoS attacks against
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          your server.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User        </p>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<p>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt          Here is an example of how to properly apply ACLs:
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt        </p>
95637507c3d47481fbf0a8a8c750a57f944f677fMark Andrews<pre class="programlisting">
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt// Set up an ACL named "bogusnets" that will block RFC1918 space
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt// and some reserved space, which is commonly used in spoofing attacks.
2ae159b376dac23870d8005563c585acf85a4b5aEvan Huntacl bogusnets {
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt};
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt// Set up an ACL called our-nets. Replace this with the real IP numbers.
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox Useracl our-nets { x.x.x.x/24; x.x.x.x/21; };
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrewsoptions {
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  ...
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User  ...
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User  allow-query { our-nets; };
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  allow-recursion { our-nets; };
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User  ...
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  blackhole { bogusnets; };
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User  ...
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User};
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewszone "example.com" {
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User  type master;
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews  file "m/example.com";
7a6494cfb6cc7d3f67af07359561e05e6bb8c0edTinderbox User  allow-query { any; };
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User};
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews</pre>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          This allows recursive queries of the server from the outside
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          unless recursion has been previously disabled.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        </p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          For more information on how to use ACLs to protect your server,
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews        </p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews        </p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User</div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<div class="sect1" lang="en">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="id2573149"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></h2></div></div></div>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          On UNIX servers, it is possible to run <span class="acronym">BIND</span> in a <span class="emphasis"><em>chrooted</em></span> environment
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          (<span><strong class="command">chroot()</strong></span>) by specifying the "<code class="option">-t</code>"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          option. This can help improve system security by placing <span class="acronym">BIND</span> in
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          a "sandbox", which will limit the damage done if a server is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          compromised.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User        </p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews          Another useful feature in the UNIX version of <span class="acronym">BIND</span> is the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews        </p>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User<p>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews          Here is an example command line to load <span class="acronym">BIND</span> in a <span><strong class="command">chroot()</strong></span> sandbox,
fd972434c29fc1169d66594e4cc7697d33036c2bTinderbox User          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User          user 202:
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User        </p>
fd972434c29fc1169d66594e4cc7697d33036c2bTinderbox User<p>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont          <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews        </p>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<div class="sect2" lang="en">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<div class="titlepage"><div><div><h3 class="title">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="id2573225"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<p>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews            In order for a <span><strong class="command">chroot()</strong></span> environment
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            to
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            work properly in a particular directory
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews            (for example, <code class="filename">/var/named</code>),
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews            you will need to set up an environment that includes everything
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            <span class="acronym">BIND</span> needs to run.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            From <span class="acronym">BIND</span>'s point of view, <code class="filename">/var/named</code> is
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews            the root of the filesystem.  You will need to adjust the values of
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews            options like
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            for this.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User          </p>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews            Unlike with earlier versions of BIND, you will typically
e20788e1216ed720aefa84f3295f7899d9f28c22Mark Andrews            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews            statically nor install shared libraries under the new root.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews            However, depending on your operating system, you may need
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews            to set up things like
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User            <code class="filename">/dev/zero</code>,
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User            <code class="filename">/dev/random</code>,
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            <code class="filename">/dev/log</code>, and/or
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater            <code class="filename">/etc/localtime</code>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          </p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User</div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="sect2" lang="en">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<div class="titlepage"><div><div><h3 class="title">
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater<a name="id2573353"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            Prior to running the <span><strong class="command">named</strong></span> daemon,
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            use
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            the <span><strong class="command">touch</strong></span> utility (to change file
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            access and
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User            modification times) or the <span><strong class="command">chown</strong></span>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            utility (to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            set the user id and/or group id) on files
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            to which you want <span class="acronym">BIND</span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            to write.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          </p>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<h3 class="title">Note</h3>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User            unprivileged user, it will not be able to bind to new restricted
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews            ports if the server is reloaded.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          </div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson</div>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User</div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="sect1" lang="en">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater          Access to the dynamic
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          update facility should be strictly limited.  In earlier versions of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          <span class="acronym">BIND</span> the only way to do this was
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          based on the IP
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          address of the host requesting the update, by listing an IP address
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          or
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater          network prefix in the <span><strong class="command">allow-update</strong></span>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          zone option.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          This method is insecure since the source address of the update UDP
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          packet
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          is easily forged.  Also note that if the IP addresses allowed by the
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          <span><strong class="command">allow-update</strong></span> option include the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson          address of a slave
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          server which performs forwarding of dynamic updates, the master can
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          be
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          trivially attacked by sending the update to the slave, which will
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          forward it to the master with its own source IP address causing the
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          master to approve it without question.
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User        </p>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          For these reasons, we strongly recommend that updates be
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User          cryptographically authenticated by means of transaction signatures
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User          option should
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews          list only TSIG key names, not IP addresses or network
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews          option can be used.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User        </p>
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User<p>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User          Some sites choose to keep all dynamically updated DNS data
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User          in a subdomain and delegate that subdomain to a separate zone. This
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User          way, the top-level zone containing critical data such as the IP
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews          addresses
7ca715ad1587a68a531ea1cdea07515d7232567eTinderbox User          of public web and mail servers need not allow dynamic update at
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User          all.
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater        </p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater</div>
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews</div>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<div class="navfooter">
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User<hr>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews<table width="100%" summary="Navigation footer">
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<tr>
4151211e6649332f7b5a55870cbe37128bcc7b29Tinderbox User<td width="40%" align="left">
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater<td width="20%" align="center">�</td>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater</td>
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater</tr>
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User<tr>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<td width="40%" align="left" valign="top">Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference�</td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
3ec8f7777ea2b04fc1ebb63077f0916f63b1011aTinderbox User</tr>
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User</table>
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User</div>
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User</body>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater</html>
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater