doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision 984c2e9f76e66e86f7d9aca99a774836ddf196ea
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<!--
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
fcb54ce0a4f7377486df5bec83b3aa4711bf4131Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence -
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews - Permission to use, copy, modify, and distribute this software for any
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews - purpose with or without fee is hereby granted, provided that the above
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews - copyright notice and this permission notice appear in all copies.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence -
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews-->
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<!-- $Id: Bv9ARM.ch07.html,v 1.167 2008/06/24 01:12:02 tbox Exp $ -->
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<html>
0c310d16b05ee94743d33f6920907edee6084fc8Michael Graff<head>
0c310d16b05ee94743d33f6920907edee6084fc8Michael Graff<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
de153390f5a1f6d4fa86af91d4cae772d9846ca0Mark Andrews<title>Chapter�7.�BIND 9 Security Considerations</title>
0c310d16b05ee94743d33f6920907edee6084fc8Michael Graff<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
822f6cdabb1edd44472c7a758b5cae71376fa9beBrian Wellington<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ebfcb6cf66283096ebda1503b6cc042ce86b6bedBrian Wellington<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
242bba8991b030b7764f0bdca3922d75c34ea51eAndreas Gustafsson</head>
25a66b4e41e2b0a2af4840749bac80ae78c678bfMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<div class="navheader">
21f1794606dce19928cf455029e173321f166380Mark Andrews<table width="100%" summary="Navigation header">
973a19342597823f111fce6a8cd5adfd0e2e7c0dMark Andrews<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
0c310d16b05ee94743d33f6920907edee6084fc8Michael Graff<tr>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<td width="20%" align="left">
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<th width="60%" align="center">�</th>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
21825a8d005ccc2dfaf12889bf9eef3413555277Brian Wellington</td>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence</tr>
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews</table>
a98551ef592e9be6008e0141ceeb32efd586c5efMark Andrews<hr>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence</div>
a98551ef592e9be6008e0141ceeb32efd586c5efMark Andrews<div class="chapter" lang="en">
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<div class="titlepage"><div><div><h2 class="title">
54c26ab21c61c6d6b1e484bb88dc3ac263845d17Mark Andrews<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
3ddd92da6651bc72aa79a04195ad389d86fd1a66Andreas Gustafsson<div class="toc">
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<p><b>Table of Contents</b></p>
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson<dl>
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2597361"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews<dd><dl>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2597506">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2597565">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews</dl></dd>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
c46f10e4a1702191b003cf8f8fc5059c15d29c48Mark Andrews</dl>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews</div>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews<div class="sect1" lang="en">
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews<p>
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews          Access Control Lists (ACLs), are address match lists that
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
eb6bd543c7d072efdca509eb17f8f301c1467b53Mark Andrews          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
deaaf94332abbfdb3aff53675546acfed16e5eb6Mark Andrews          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
c46f10e4a1702191b003cf8f8fc5059c15d29c48Mark Andrews          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
c46f10e4a1702191b003cf8f8fc5059c15d29c48Mark Andrews          etc.
0b056755b2f423ba5f6adac8f7851d78f7d11437David Lawrence        </p>
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence<p>
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews          Using ACLs allows you to have finer control over who can access
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          your name server, without cluttering up your config files with huge
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence          lists of IP addresses.
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence        </p>
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence<p>
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
0b056755b2f423ba5f6adac8f7851d78f7d11437David Lawrence          control access to your server. Limiting access to your server by
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence          outside parties can help prevent spoofing and denial of service (DoS) attacks against
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews          your server.
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence        </p>
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence<p>
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence          Here is an example of how to properly apply ACLs:
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence        </p>
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence<pre class="programlisting">
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence// Set up an ACL named "bogusnets" that will block RFC1918 space
0b056755b2f423ba5f6adac8f7851d78f7d11437David Lawrence// and some reserved space, which is commonly used in spoofing attacks.
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrenceacl bogusnets {
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence};
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence// Set up an ACL called our-nets. Replace this with the real IP numbers.
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrenceacl our-nets { x.x.x.x/24; x.x.x.x/21; };
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrenceoptions {
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence  ...
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence  ...
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence  allow-query { our-nets; };
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews  allow-recursion { our-nets; };
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews  ...
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews  blackhole { bogusnets; };
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews  ...
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews};
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafssonzone "example.com" {
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence  type master;
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson  file "m/example.com";
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson  allow-query { any; };
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson};
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson</pre>
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson<p>
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson          This allows recursive queries of the server from the outside
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson          unless recursion has been previously disabled.
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence        </p>
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson<p>
0c8649cea98afc061dd2938fd315df53b8fc35caAndreas Gustafsson          For more information on how to use ACLs to protect your server,
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence        </p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence        </p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence</div>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<div class="sect1" lang="en">
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<a name="id2597361"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence</h2></div></div></div>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          a "sandbox", which will limit the damage done if a server is
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          compromised.
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence        </p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<p>
330705066b03f6ce0bc08a4bbfc5d2418038c68dBrian Wellington          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
330705066b03f6ce0bc08a4bbfc5d2418038c68dBrian Wellington          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
330705066b03f6ce0bc08a4bbfc5d2418038c68dBrian Wellington          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence        </p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          user 202:
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence        </p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence        </p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<div class="sect2" lang="en">
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<div class="titlepage"><div><div><h3 class="title">
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<a name="id2597506"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            In order for a <span><strong class="command">chroot</strong></span> environment
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            to
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            work properly in a particular directory
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            (for example, <code class="filename">/var/named</code>),
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            you will need to set up an environment that includes everything
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            <acronym class="acronym">BIND</acronym> needs to run.
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            the root of the filesystem.  You will need to adjust the values of
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            options like
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            for this.
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          </p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            Unlike with earlier versions of BIND, you typically will
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            statically nor install shared libraries under the new root.
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            However, depending on your operating system, you may need
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            to set up things like
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            <code class="filename">/dev/zero</code>,
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            <code class="filename">/dev/random</code>,
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            <code class="filename">/dev/log</code>, and
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            <code class="filename">/etc/localtime</code>.
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          </p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence</div>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<div class="sect2" lang="en">
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<div class="titlepage"><div><div><h3 class="title">
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<a name="id2597565"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence<p>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            Prior to running the <span><strong class="command">named</strong></span> daemon,
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            use
76c8294c81fb48b1da6e1fc5b83322a4cedb8e58Andreas Gustafsson            the <span><strong class="command">touch</strong></span> utility (to change file
76c8294c81fb48b1da6e1fc5b83322a4cedb8e58Andreas Gustafsson            access and
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            modification times) or the <span><strong class="command">chown</strong></span>
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            utility (to
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence            set the user id and/or group id) on files
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence            to which you want <acronym class="acronym">BIND</acronym>
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence            to write.
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          </p>
fd4810861c0c0ccb9aebde94e9d289442b2630dbMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
fd4810861c0c0ccb9aebde94e9d289442b2630dbMark Andrews<h3 class="title">Note</h3>
fd4810861c0c0ccb9aebde94e9d289442b2630dbMark Andrews            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            unprivileged user, it will not be able to bind to new restricted
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence            ports if the server is reloaded.
8abddcd3f24476b945419659e7cb73bcb970886bDavid Lawrence          </div>
7ab0e69f61e61e81d489c95c7ebd981e74e7ef16Andreas Gustafsson</div>
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews</div>
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews<div class="sect1" lang="en">
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrews<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews<p>
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          Access to the dynamic
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          update facility should be strictly limited.  In earlier versions of
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          <acronym class="acronym">BIND</acronym>, the only way to do this was
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          based on the IP
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          address of the host requesting the update, by listing an IP address
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          or
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          network prefix in the <span><strong class="command">allow-update</strong></span>
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          zone option.
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          This method is insecure since the source address of the update UDP
23cb957a81a51a9656917ea98d0ae56b7abdcaccMark Andrews          packet
b6a0341bcb113e93bd0bc41a9f9a1fc117444da6Mark Andrews          is easily forged.  Also note that if the IP addresses allowed by the
b6a0341bcb113e93bd0bc41a9f9a1fc117444da6Mark Andrews          <span><strong class="command">allow-update</strong></span> option include the
aa05bbdef7f7827dde158dcc913f4dade84c8511Brian Wellington          address of a slave
23cb957a81a51a9656917ea98d0ae56b7abdcaccMark Andrews          server which performs forwarding of dynamic updates, the master can
23cb957a81a51a9656917ea98d0ae56b7abdcaccMark Andrews          be
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          trivially attacked by sending the update to the slave, which will
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          forward it to the master with its own source IP address causing the
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews          master to approve it without question.
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews        </p>
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews<p>
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          For these reasons, we strongly recommend that updates be
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          cryptographically authenticated by means of transaction signatures
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
78838d3e0cd62423c23de5503910e01884d2104bBrian Wellington          option should
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          list only TSIG key names, not IP addresses or network
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          option can be used.
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews        </p>
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews<p>
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          Some sites choose to keep all dynamically-updated DNS data
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          in a subdomain and delegate that subdomain to a separate zone. This
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          way, the top-level zone containing critical data such as the IP
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          addresses
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          of public web and mail servers need not allow dynamic update at
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews          all.
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews        </p>
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews</div>
f6407f9a0b890bebbfd5f738d9c4aef3d3315fe9Michael Graff</div>
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews<div class="navfooter">
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews<hr>
2002be4f65776451676df6ee21a2e28f52bcad6dMark Andrews<table width="100%" summary="Navigation footer">
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<tr>
ffe74cc719aa0f10c38fbc1f2f3ea7db0960cb8fMark Andrews<td width="40%" align="left">
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<td width="20%" align="center">�</td>
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews</td>
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews</tr>
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews<tr>
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews</tr>
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews</table>
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews</div>
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews</body>
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews</html>
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews