Bv9ARM.ch07.html revision aa1905addf2f33d90aa020080e4e77a8651e829a
0b2c738975b364a61e573387b56359586429777dvboxsync - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
0b2c738975b364a61e573387b56359586429777dvboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
0b2c738975b364a61e573387b56359586429777dvboxsync - Permission to use, copy, modify, and/or distribute this software for any
0b2c738975b364a61e573387b56359586429777dvboxsync - purpose with or without fee is hereby granted, provided that the above
0b2c738975b364a61e573387b56359586429777dvboxsync - copyright notice and this permission notice appear in all copies.
0b2c738975b364a61e573387b56359586429777dvboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0b2c738975b364a61e573387b56359586429777dvboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0b2c738975b364a61e573387b56359586429777dvboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0b2c738975b364a61e573387b56359586429777dvboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0b2c738975b364a61e573387b56359586429777dvboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0b2c738975b364a61e573387b56359586429777dvboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0b2c738975b364a61e573387b56359586429777dvboxsync - PERFORMANCE OF THIS SOFTWARE.
0b2c738975b364a61e573387b56359586429777dvboxsync<!-- $Id$ -->
0b2c738975b364a61e573387b56359586429777dvboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0b2c738975b364a61e573387b56359586429777dvboxsync<title>Chapter�7.�BIND 9 Security Considerations</title>
0b2c738975b364a61e573387b56359586429777dvboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0b2c738975b364a61e573387b56359586429777dvboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0b2c738975b364a61e573387b56359586429777dvboxsync<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0b2c738975b364a61e573387b56359586429777dvboxsync<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
0b2c738975b364a61e573387b56359586429777dvboxsync<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
0b2c738975b364a61e573387b56359586429777dvboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0b2c738975b364a61e573387b56359586429777dvboxsync<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
0b2c738975b364a61e573387b56359586429777dvboxsync<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
0b2c738975b364a61e573387b56359586429777dvboxsync<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
0b2c738975b364a61e573387b56359586429777dvboxsync<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
0b2c738975b364a61e573387b56359586429777dvboxsync<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
0b2c738975b364a61e573387b56359586429777dvboxsync<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2606958"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
0b2c738975b364a61e573387b56359586429777dvboxsync<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2607108">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
0b2c738975b364a61e573387b56359586429777dvboxsync<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2607168">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
0b2c738975b364a61e573387b56359586429777dvboxsync<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
0b2c738975b364a61e573387b56359586429777dvboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0b2c738975b364a61e573387b56359586429777dvboxsync<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
0b2c738975b364a61e573387b56359586429777dvboxsync Access Control Lists (ACLs) are address match lists that
0b2c738975b364a61e573387b56359586429777dvboxsync you can set up and nickname for future use in
0b2c738975b364a61e573387b56359586429777dvboxsync <span><strong class="command">allow-notify</strong></span>, <span><strong class="command">allow-query</strong></span>,
0b2c738975b364a61e573387b56359586429777dvboxsync <span><strong class="command">allow-query-on</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
0b2c738975b364a61e573387b56359586429777dvboxsync <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
0b2c738975b364a61e573387b56359586429777dvboxsync <span><strong class="command">match-clients</strong></span>, etc.
0b2c738975b364a61e573387b56359586429777dvboxsync Using ACLs allows you to have finer control over who can access
0b2c738975b364a61e573387b56359586429777dvboxsync your name server, without cluttering up your config files with huge
0b2c738975b364a61e573387b56359586429777dvboxsync lists of IP addresses.
0b2c738975b364a61e573387b56359586429777dvboxsync It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
0b2c738975b364a61e573387b56359586429777dvboxsync control access to your server. Limiting access to your server by
0b2c738975b364a61e573387b56359586429777dvboxsync outside parties can help prevent spoofing and denial of service
0b2c738975b364a61e573387b56359586429777dvboxsync (DoS) attacks against your server.
0b2c738975b364a61e573387b56359586429777dvboxsync ACLs match clients on the basis of up to three characteristics:
0b2c738975b364a61e573387b56359586429777dvboxsync 1) The client's IP address; 2) the TSIG or SIG(0) key that was
0b2c738975b364a61e573387b56359586429777dvboxsync used to sign the request, if any; and 3) an address prefix
0b2c738975b364a61e573387b56359586429777dvboxsync encoded in an EDNS Client Subnet option, if any.
0b2c738975b364a61e573387b56359586429777dvboxsync Here is an example of ACLs based on client addresses:
0b2c738975b364a61e573387b56359586429777dvboxsync// Set up an ACL named "bogusnets" that will block
0b2c738975b364a61e573387b56359586429777dvboxsync// RFC1918 space and some reserved space, which is
0b2c738975b364a61e573387b56359586429777dvboxsync// commonly used in spoofing attacks.
0b2c738975b364a61e573387b56359586429777dvboxsyncacl bogusnets {
0b2c738975b364a61e573387b56359586429777dvboxsync// Set up an ACL called our-nets. Replace this with the
0b2c738975b364a61e573387b56359586429777dvboxsync// real IP numbers.
0b2c738975b364a61e573387b56359586429777dvboxsync allow-query { our-nets; };
0b2c738975b364a61e573387b56359586429777dvboxsync allow-recursion { our-nets; };
0b2c738975b364a61e573387b56359586429777dvboxsync blackhole { bogusnets; };
0b2c738975b364a61e573387b56359586429777dvboxsync type master;
0b2c738975b364a61e573387b56359586429777dvboxsync allow-query { any; };
0b2c738975b364a61e573387b56359586429777dvboxsync This allows authoritative queries for "example.com" from any
0b2c738975b364a61e573387b56359586429777dvboxsync address, but recursive queries only from the networks specified
0b2c738975b364a61e573387b56359586429777dvboxsync in "our-nets", and no queries at all from the networks
0b2c738975b364a61e573387b56359586429777dvboxsync specified in "bogusnets".
0b2c738975b364a61e573387b56359586429777dvboxsync In addition to network addresses and prefixes, which are
0b2c738975b364a61e573387b56359586429777dvboxsync matched against the source address of the DNS request, ACLs
0b2c738975b364a61e573387b56359586429777dvboxsync may include <code class="option">key</code> elements, which specify the
0b2c738975b364a61e573387b56359586429777dvboxsync name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
0b2c738975b364a61e573387b56359586429777dvboxsync elements, which specify a network prefix but are only matched
0b2c738975b364a61e573387b56359586429777dvboxsync if that prefix matches an EDNS client subnet option included
0b2c738975b364a61e573387b56359586429777dvboxsync in the request.
0b2c738975b364a61e573387b56359586429777dvboxsync The EDNS Client Subnet (ECS) option is used by a recursive
0b2c738975b364a61e573387b56359586429777dvboxsync resolver to inform an authoritative name server of the network
0b2c738975b364a61e573387b56359586429777dvboxsync address block from which the original query was received, enabling
0b2c738975b364a61e573387b56359586429777dvboxsync authoritative servers to give different answers to the same
0b2c738975b364a61e573387b56359586429777dvboxsync resolver for different resolver clients. An ACL containing
0b2c738975b364a61e573387b56359586429777dvboxsync an element of the form
0b2c738975b364a61e573387b56359586429777dvboxsync <span><strong class="command">ecs <em class="replaceable"><code>prefix</code></em></strong></span>
0b2c738975b364a61e573387b56359586429777dvboxsync will match if a request arrives in containing an ECS option
0b2c738975b364a61e573387b56359586429777dvboxsync encoding an address within that prefix. If the request has no
0b2c738975b364a61e573387b56359586429777dvboxsync ECS option, then "ecs" elements are simply ignored. Addresses
0b2c738975b364a61e573387b56359586429777dvboxsync in ACLs that are not prefixed with "ecs" are matched only
0b2c738975b364a61e573387b56359586429777dvboxsync against the source address.
0b2c738975b364a61e573387b56359586429777dvboxsync When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
0b2c738975b364a61e573387b56359586429777dvboxsync ACLs can also be used for geographic access restrictions.
0b2c738975b364a61e573387b56359586429777dvboxsync This is done by specifying an ACL element of the form:
0b2c738975b364a61e573387b56359586429777dvboxsync <span><strong class="command">geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
0b2c738975b364a61e573387b56359586429777dvboxsync The <em class="replaceable"><code>field</code></em> indicates which field
0b2c738975b364a61e573387b56359586429777dvboxsync to search for a match. Available fields are "country",
0b2c738975b364a61e573387b56359586429777dvboxsync "region", "city", "continent", "postal" (postal code),
0b2c738975b364a61e573387b56359586429777dvboxsync "metro" (metro code), "area" (area code), "tz" (timezone),
0b2c738975b364a61e573387b56359586429777dvboxsync "isp", "org", "asnum", "domain" and "netspeed".
0b2c738975b364a61e573387b56359586429777dvboxsync <em class="replaceable"><code>value</code></em> is the value to search
0b2c738975b364a61e573387b56359586429777dvboxsync for within the database. A string may be quoted if it
0b2c738975b364a61e573387b56359586429777dvboxsync contains spaces or other special characters. If this is
0b2c738975b364a61e573387b56359586429777dvboxsync an "asnum" search, then the leading "ASNNNN" string can be
0b2c738975b364a61e573387b56359586429777dvboxsync used, otherwise the full description must be used (e.g.
0b2c738975b364a61e573387b56359586429777dvboxsync "ASNNNN Example Company Name"). If this is a "country"
0b2c738975b364a61e573387b56359586429777dvboxsync search and the string is two characters long, then it must
0b2c738975b364a61e573387b56359586429777dvboxsync be a standard ISO-3166-1 two-letter country code, and if it
0b2c738975b364a61e573387b56359586429777dvboxsync is three characters long then it must be an ISO-3166-1
0b2c738975b364a61e573387b56359586429777dvboxsync three-letter country code; otherwise it is the full name
0b2c738975b364a61e573387b56359586429777dvboxsync of the country. Similarly, if this is a "region" search
0b2c738975b364a61e573387b56359586429777dvboxsync and the string is two characters long, then it must be a
0b2c738975b364a61e573387b56359586429777dvboxsync standard two-letter state or province abbreviation;
0b2c738975b364a61e573387b56359586429777dvboxsync otherwise it is the full name of the state or province.
0b2c738975b364a61e573387b56359586429777dvboxsync The <em class="replaceable"><code>database</code></em> field indicates which
0b2c738975b364a61e573387b56359586429777dvboxsync GeoIP database to search for a match. In most cases this is
0b2c738975b364a61e573387b56359586429777dvboxsync unnecessary, because most search fields can only be found in
0b2c738975b364a61e573387b56359586429777dvboxsync a single database. However, searches for country can be
0b2c738975b364a61e573387b56359586429777dvboxsync answered from the "city", "region", or "country" databases,
0b2c738975b364a61e573387b56359586429777dvboxsync and searches for region (i.e., state or province) can be
0b2c738975b364a61e573387b56359586429777dvboxsync answered from the "city" or "region" databases. For these
0b2c738975b364a61e573387b56359586429777dvboxsync search types, specifying a <em class="replaceable"><code>database</code></em>
0b2c738975b364a61e573387b56359586429777dvboxsync will force the query to be answered from that database and no
0b2c738975b364a61e573387b56359586429777dvboxsync other. If <em class="replaceable"><code>database</code></em> is not
0b2c738975b364a61e573387b56359586429777dvboxsync specified, then these queries will be answered from the "city",
0b2c738975b364a61e573387b56359586429777dvboxsync database if it is installed, or the "region" database if it is
0b2c738975b364a61e573387b56359586429777dvboxsync installed, or the "country" database, in that order.
0b2c738975b364a61e573387b56359586429777dvboxsync By default, if a DNS query includes an EDNS Client Subnet (ECS)
0b2c738975b364a61e573387b56359586429777dvboxsync option which encodes a non-zero address prefix, then GeoIP ACLs
0b2c738975b364a61e573387b56359586429777dvboxsync will be matched against that address prefix. Otherwise, they
0b2c738975b364a61e573387b56359586429777dvboxsync are matched against the source address of the query. To
0b2c738975b364a61e573387b56359586429777dvboxsync prevent GeoIP ACLs from matching against ECS options, set
0b2c738975b364a61e573387b56359586429777dvboxsync the <span><strong class="command">geoip-use-ecs</strong></span> to <code class="literal">no</code>.
0b2c738975b364a61e573387b56359586429777dvboxsync Some example GeoIP ACLs:
0b2c738975b364a61e573387b56359586429777dvboxsyncgeoip country JAP;
0b2c738975b364a61e573387b56359586429777dvboxsyncgeoip db country country Canada;
0b2c738975b364a61e573387b56359586429777dvboxsyncgeoip db region region WA;
0b2c738975b364a61e573387b56359586429777dvboxsyncgeoip city "San Francisco";
0b2c738975b364a61e573387b56359586429777dvboxsyncgeoip region Oklahoma;
0b2c738975b364a61e573387b56359586429777dvboxsyncgeoip postal 95062;
0b2c738975b364a61e573387b56359586429777dvboxsyncgeoip org "Internet Systems Consortium";
0b2c738975b364a61e573387b56359586429777dvboxsync ACLs use a "first-match" logic rather than "best-match":
0b2c738975b364a61e573387b56359586429777dvboxsync if an address prefix matches an ACL element, then that ACL
0b2c738975b364a61e573387b56359586429777dvboxsync is considered to have matched even if a later element would
0b2c738975b364a61e573387b56359586429777dvboxsync have matched more specifically. For example, the ACL
0b2c738975b364a61e573387b56359586429777dvboxsync <span><strong class="command"> { 10/8; !10.0.0.1; }</strong></span> would actually
0b2c738975b364a61e573387b56359586429777dvboxsync match a query from 10.0.0.1, because the first element
0b2c738975b364a61e573387b56359586429777dvboxsync indicated that the query should be accepted, and the second
0b2c738975b364a61e573387b56359586429777dvboxsync element is ignored.
0b2c738975b364a61e573387b56359586429777dvboxsync When using "nested" ACLs (that is, ACLs included or referenced
0b2c738975b364a61e573387b56359586429777dvboxsync within other ACLs), a negative match of a nested ACL will
0b2c738975b364a61e573387b56359586429777dvboxsync the containing ACL to continue looking for matches. This
0b2c738975b364a61e573387b56359586429777dvboxsync enables complex ACLs to be constructed, in which multiple
0b2c738975b364a61e573387b56359586429777dvboxsync client characteristics can be checked at the same time. For
0b2c738975b364a61e573387b56359586429777dvboxsync example, to construct an ACL which allows queries only when
0b2c738975b364a61e573387b56359586429777dvboxsync it originates from a particular network <span class="emphasis"><em>and</em></span>
0b2c738975b364a61e573387b56359586429777dvboxsync only when it is signed with a particular key, use:
0b2c738975b364a61e573387b56359586429777dvboxsyncallow-query { !{ !10/8; any; }; key example; };
0b2c738975b364a61e573387b56359586429777dvboxsync Within the nested ACL, any address that is
0b2c738975b364a61e573387b56359586429777dvboxsync <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
0b2c738975b364a61e573387b56359586429777dvboxsync be rejected, and this will terminate processing of the
0b2c738975b364a61e573387b56359586429777dvboxsync ACL. Any address that <span class="emphasis"><em>is</em></span> in the 10/8
0b2c738975b364a61e573387b56359586429777dvboxsync network prefix will be accepted, but this causes a negative
0b2c738975b364a61e573387b56359586429777dvboxsync match of the nested ACL, so the containing ACL continues
0b2c738975b364a61e573387b56359586429777dvboxsync processing. The query will then be accepted if it is signed
0b2c738975b364a61e573387b56359586429777dvboxsync by the key "example", and rejected otherwise. The ACL, then,
0b2c738975b364a61e573387b56359586429777dvboxsync will only matches when <span class="emphasis"><em>both</em></span> conditions
0b2c738975b364a61e573387b56359586429777dvboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0b2c738975b364a61e573387b56359586429777dvboxsync<a name="id2606958"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
0b2c738975b364a61e573387b56359586429777dvboxsync On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
0b2c738975b364a61e573387b56359586429777dvboxsync in a <span class="emphasis"><em>chrooted</em></span> environment (using
0b2c738975b364a61e573387b56359586429777dvboxsync the <span><strong class="command">chroot()</strong></span> function) by specifying
0b2c738975b364a61e573387b56359586429777dvboxsync the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
0b2c738975b364a61e573387b56359586429777dvboxsync This can help improve system security by placing
0b2c738975b364a61e573387b56359586429777dvboxsync <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
0b2c738975b364a61e573387b56359586429777dvboxsync the damage done if a server is compromised.
0b2c738975b364a61e573387b56359586429777dvboxsync Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
0b2c738975b364a61e573387b56359586429777dvboxsync ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
0b2c738975b364a61e573387b56359586429777dvboxsync We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
0b2c738975b364a61e573387b56359586429777dvboxsync Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
0b2c738975b364a61e573387b56359586429777dvboxsync <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
0b2c738975b364a61e573387b56359586429777dvboxsync <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
0b2c738975b364a61e573387b56359586429777dvboxsync<a name="id2607108"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
0b2c738975b364a61e573387b56359586429777dvboxsync In order for a <span><strong class="command">chroot</strong></span> environment
0b2c738975b364a61e573387b56359586429777dvboxsync work properly in a particular directory
0b2c738975b364a61e573387b56359586429777dvboxsync (for example, <code class="filename">/var/named</code>),
0b2c738975b364a61e573387b56359586429777dvboxsync you will need to set up an environment that includes everything
0b2c738975b364a61e573387b56359586429777dvboxsync <acronym class="acronym">BIND</acronym> needs to run.
0b2c738975b364a61e573387b56359586429777dvboxsync From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
0b2c738975b364a61e573387b56359586429777dvboxsync the root of the filesystem. You will need to adjust the values of
0b2c738975b364a61e573387b56359586429777dvboxsync options like
0b2c738975b364a61e573387b56359586429777dvboxsync like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
0b2c738975b364a61e573387b56359586429777dvboxsync Unlike with earlier versions of BIND, you typically will
0b2c738975b364a61e573387b56359586429777dvboxsync <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
0b2c738975b364a61e573387b56359586429777dvboxsync statically nor install shared libraries under the new root.
0b2c738975b364a61e573387b56359586429777dvboxsync However, depending on your operating system, you may need
0b2c738975b364a61e573387b56359586429777dvboxsync to set up things like
0b2c738975b364a61e573387b56359586429777dvboxsync<a name="id2607168"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
0b2c738975b364a61e573387b56359586429777dvboxsync Prior to running the <span><strong class="command">named</strong></span> daemon,
0b2c738975b364a61e573387b56359586429777dvboxsync the <span><strong class="command">touch</strong></span> utility (to change file
0b2c738975b364a61e573387b56359586429777dvboxsync modification times) or the <span><strong class="command">chown</strong></span>
0b2c738975b364a61e573387b56359586429777dvboxsync utility (to
0b2c738975b364a61e573387b56359586429777dvboxsync to which you want <acronym class="acronym">BIND</acronym>
0b2c738975b364a61e573387b56359586429777dvboxsync<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
0b2c738975b364a61e573387b56359586429777dvboxsync Note that if the <span><strong class="command">named</strong></span> daemon is running as an
0b2c738975b364a61e573387b56359586429777dvboxsync unprivileged user, it will not be able to bind to new restricted
0b2c738975b364a61e573387b56359586429777dvboxsync ports if the server is reloaded.
0b2c738975b364a61e573387b56359586429777dvboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0b2c738975b364a61e573387b56359586429777dvboxsync<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
0b2c738975b364a61e573387b56359586429777dvboxsync Access to the dynamic
0b2c738975b364a61e573387b56359586429777dvboxsync update facility should be strictly limited. In earlier versions of
0b2c738975b364a61e573387b56359586429777dvboxsync <acronym class="acronym">BIND</acronym>, the only way to do this was
0b2c738975b364a61e573387b56359586429777dvboxsync based on the IP
0b2c738975b364a61e573387b56359586429777dvboxsync address of the host requesting the update, by listing an IP address
0b2c738975b364a61e573387b56359586429777dvboxsync network prefix in the <span><strong class="command">allow-update</strong></span>
0b2c738975b364a61e573387b56359586429777dvboxsync zone option.
0b2c738975b364a61e573387b56359586429777dvboxsync This method is insecure since the source address of the update UDP
0b2c738975b364a61e573387b56359586429777dvboxsync is easily forged. Also note that if the IP addresses allowed by the
0b2c738975b364a61e573387b56359586429777dvboxsync <span><strong class="command">allow-update</strong></span> option include the
0b2c738975b364a61e573387b56359586429777dvboxsync address of a slave
0b2c738975b364a61e573387b56359586429777dvboxsync server which performs forwarding of dynamic updates, the master can
0b2c738975b364a61e573387b56359586429777dvboxsync trivially attacked by sending the update to the slave, which will
0b2c738975b364a61e573387b56359586429777dvboxsync forward it to the master with its own source IP address causing the
0b2c738975b364a61e573387b56359586429777dvboxsync master to approve it without question.
0b2c738975b364a61e573387b56359586429777dvboxsync For these reasons, we strongly recommend that updates be
0b2c738975b364a61e573387b56359586429777dvboxsync cryptographically authenticated by means of transaction signatures
0b2c738975b364a61e573387b56359586429777dvboxsync (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
0b2c738975b364a61e573387b56359586429777dvboxsync option should
0b2c738975b364a61e573387b56359586429777dvboxsync list only TSIG key names, not IP addresses or network
0b2c738975b364a61e573387b56359586429777dvboxsync prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
0b2c738975b364a61e573387b56359586429777dvboxsync option can be used.
0b2c738975b364a61e573387b56359586429777dvboxsync Some sites choose to keep all dynamically-updated DNS data
0b2c738975b364a61e573387b56359586429777dvboxsync in a subdomain and delegate that subdomain to a separate zone. This
0b2c738975b364a61e573387b56359586429777dvboxsync way, the top-level zone containing critical data such as the IP
0b2c738975b364a61e573387b56359586429777dvboxsync of public web and mail servers need not allow dynamic update at
0b2c738975b364a61e573387b56359586429777dvboxsync<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
0b2c738975b364a61e573387b56359586429777dvboxsync<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
0b2c738975b364a61e573387b56359586429777dvboxsync<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
0b2c738975b364a61e573387b56359586429777dvboxsync<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0b2c738975b364a61e573387b56359586429777dvboxsync<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>