doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision 61ab11c0ec845606f85452b2c9f2e223772aae00
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<!--
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - Copyright (C) 2000-2003 Internet Software Consortium.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff -
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - Permission to use, copy, modify, and/or distribute this software for any
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - purpose with or without fee is hereby granted, provided that the above
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - copyright notice and this permission notice appear in all copies.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff -
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff - PERFORMANCE OF THIS SOFTWARE.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff-->
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<!-- $Id$ -->
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<html>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<head>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<title>Chapter�7.�BIND 9 Security Considerations</title>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
f738cdef3d31d380d62da96a77e5ea6f43575960Mark Andrews<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff</head>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<div class="navheader">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<table width="100%" summary="Navigation header">
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<tr>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<td width="20%" align="left">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<th width="60%" align="center">�</th>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff</td>
01933e930208da3291de3722cb0d0787636b1e4fMichael Graff</tr>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff</table>
01933e930208da3291de3722cb0d0787636b1e4fMichael Graff<hr>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff</div>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<div class="chapter" lang="en">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<div class="titlepage"><div><div><h2 class="title">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<div class="toc">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<p><b>Table of Contents</b></p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<dl>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2606584"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<dd><dl>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2606665">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2606725">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff</dl></dd>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff</dl>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff</div>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<div class="sect1" lang="en">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<div class="titlepage"><div><div><h2 class="title" style="clear: both">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<p>
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff          Access Control Lists (ACLs) are address match lists that
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          etc.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff        </p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          Using ACLs allows you to have finer control over who can access
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          your name server, without cluttering up your config files with huge
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          lists of IP addresses.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff        </p>
7a166c5c61a5aaa6eeb929bed152dc0a6b128e3dMichael Graff<p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          control access to your server. Limiting access to your server by
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          outside parties can help prevent spoofing and denial of service (DoS) attacks against
d736db6dc53e615e3f2d66d1ddbe28473694d107Michael Graff          your server.
d736db6dc53e615e3f2d66d1ddbe28473694d107Michael Graff        </p>
d736db6dc53e615e3f2d66d1ddbe28473694d107Michael Graff<p>
d736db6dc53e615e3f2d66d1ddbe28473694d107Michael Graff          Here is an example of how to properly apply ACLs:
d736db6dc53e615e3f2d66d1ddbe28473694d107Michael Graff        </p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<pre class="programlisting">
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff// Set up an ACL named "bogusnets" that will block
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff// RFC1918 space and some reserved space, which is
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff// commonly used in spoofing attacks.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graffacl bogusnets {
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence        0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff};
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff// Set up an ACL called our-nets. Replace this with the
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff// real IP numbers.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graffacl our-nets { x.x.x.x/24; x.x.x.x/21; };
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graffoptions {
c1cfd8ef05f47f2ccb5db80639e9501c9f16864cMichael Graff  ...
c1cfd8ef05f47f2ccb5db80639e9501c9f16864cMichael Graff  ...
c1cfd8ef05f47f2ccb5db80639e9501c9f16864cMichael Graff  allow-query { our-nets; };
c1cfd8ef05f47f2ccb5db80639e9501c9f16864cMichael Graff  allow-recursion { our-nets; };
c1cfd8ef05f47f2ccb5db80639e9501c9f16864cMichael Graff  ...
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff  blackhole { bogusnets; };
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff  ...
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff};
7a166c5c61a5aaa6eeb929bed152dc0a6b128e3dMichael Graff
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrencezone "example.com" {
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff  type master;
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff  file "m/example.com";
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff  allow-query { any; };
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff};
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff</pre>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<p>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence          This allows recursive queries of the server from the outside
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          unless recursion has been previously disabled.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff        </p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff</div>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<div class="sect1" lang="en">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<div class="titlepage"><div><div><h2 class="title" style="clear: both">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<a name="id2606584"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence</h2></div></div></div>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          in a <span class="emphasis"><em>chrooted</em></span> environment (using
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          the <span><strong class="command">chroot()</strong></span> function) by specifying
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          This can help improve system security by placing
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence          the damage done if a server is compromised.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff        </p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff        </p>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          user 202:
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff        </p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff        </p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<div class="sect2" lang="en">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<div class="titlepage"><div><div><h3 class="title">
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<a name="id2606665"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff<p>
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff            In order for a <span><strong class="command">chroot</strong></span> environment
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff            to
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff            work properly in a particular directory
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence            (for example, <code class="filename">/var/named</code>),
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff            you will need to set up an environment that includes everything
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff            <acronym class="acronym">BIND</acronym> needs to run.
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff            the root of the filesystem.  You will need to adjust the values of
64bed6c54393c2d213db83e9b171fb7c318cfc8eMichael Graff            options like
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
01933e930208da3291de3722cb0d0787636b1e4fMichael Graff            for this.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence          </p>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<p>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            Unlike with earlier versions of BIND, you typically will
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            statically nor install shared libraries under the new root.
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            However, depending on your operating system, you may need
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            to set up things like
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            <code class="filename">/dev/zero</code>,
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            <code class="filename">/dev/random</code>,
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            <code class="filename">/dev/log</code>, and
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            <code class="filename">/etc/localtime</code>.
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          </p>
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff</div>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<div class="sect2" lang="en">
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<div class="titlepage"><div><div><h3 class="title">
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<a name="id2606725"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<p>
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff            Prior to running the <span><strong class="command">named</strong></span> daemon,
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            use
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            the <span><strong class="command">touch</strong></span> utility (to change file
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            access and
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            modification times) or the <span><strong class="command">chown</strong></span>
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff            utility (to
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            set the user id and/or group id) on files
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            to which you want <acronym class="acronym">BIND</acronym>
01933e930208da3291de3722cb0d0787636b1e4fMichael Graff            to write.
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          </p>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
1a70537f01305cb84d402c84b1ba7cc89b97a5dcMichael Graff<h3 class="title">Note</h3>
1a70537f01305cb84d402c84b1ba7cc89b97a5dcMichael Graff            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            unprivileged user, it will not be able to bind to new restricted
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff            ports if the server is reloaded.
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          </div>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff</div>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff</div>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<div class="sect1" lang="en">
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff<p>
a4987cc03171e0ff3e3b07e7aac0f6bde8e09bf2Michael Graff          Access to the dynamic
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          update facility should be strictly limited.  In earlier versions of
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          <acronym class="acronym">BIND</acronym>, the only way to do this was
f2edc636b0aef5c407ee8e15ee9ebb198e419e0fAndreas Gustafsson          based on the IP
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          address of the host requesting the update, by listing an IP address
01933e930208da3291de3722cb0d0787636b1e4fMichael Graff          or
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          network prefix in the <span><strong class="command">allow-update</strong></span>
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff          zone option.
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          This method is insecure since the source address of the update UDP
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff          packet
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          is easily forged.  Also note that if the IP addresses allowed by the
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          <span><strong class="command">allow-update</strong></span> option include the
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          address of a slave
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          server which performs forwarding of dynamic updates, the master can
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          be
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          trivially attacked by sending the update to the slave, which will
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          forward it to the master with its own source IP address causing the
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          master to approve it without question.
d257033612f3052265085e0d7fdc116c871a28c0Michael Graff        </p>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff<p>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          For these reasons, we strongly recommend that updates be
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          cryptographically authenticated by means of transaction signatures
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          option should
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          list only TSIG key names, not IP addresses or network
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          option can be used.
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff        </p>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff<p>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          Some sites choose to keep all dynamically-updated DNS data
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          in a subdomain and delegate that subdomain to a separate zone. This
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          way, the top-level zone containing critical data such as the IP
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          addresses
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff          of public web and mail servers need not allow dynamic update at
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff          all.
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff        </p>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff</div>
b91bbaf50cf6d0c2cad7323720495165595e413bMichael Graff</div>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<div class="navfooter">
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff<hr>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<table width="100%" summary="Navigation footer">
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff<tr>
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff<td width="40%" align="left">
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff<td width="20%" align="center">�</td>
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff</td>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff</tr>
8cd870e3f5e3db9808a4a0d6f98db3d1a5348e40Michael Graff<tr>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
1a70537f01305cb84d402c84b1ba7cc89b97a5dcMichael Graff<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
1a70537f01305cb84d402c84b1ba7cc89b97a5dcMichael Graff<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
1a70537f01305cb84d402c84b1ba7cc89b97a5dcMichael Graff</tr>
1a70537f01305cb84d402c84b1ba7cc89b97a5dcMichael Graff</table>
7dbf5a0b64237aa3052f04f4c8f7d56be8ec5d79Michael Graff</div>
</body>
</html>