doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision bea931e17b7567f09107f93ab7e25c7f00abeb9c
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: Bv9ARM.ch07.html,v 1.139 2007/05/08 02:30:42 marka Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<title>Chapter�7.�BIND 9 Security Considerations</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<th width="60%" align="center">�</th>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="chapter" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h2 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="toc">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><b>Table of Contents</b></p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dl>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2593121"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><dl>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593197">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593325">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dl></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dl>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="sect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          Access Control Lists (ACLs), are address match lists that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          etc.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          Using ACLs allows you to have finer control over who can access
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          your name server, without cluttering up your config files with huge
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          lists of IP addresses.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          control access to your server. Limiting access to your server by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          outside parties can help prevent spoofing and denial of service (DoS) attacks against
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          your server.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          Here is an example of how to properly apply ACLs:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<pre class="programlisting">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt// Set up an ACL named "bogusnets" that will block RFC1918 space
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt// and some reserved space, which is commonly used in spoofing attacks.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntacl bogusnets {
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt};
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt// Set up an ACL called our-nets. Replace this with the real IP numbers.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntacl our-nets { x.x.x.x/24; x.x.x.x/21; };
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntoptions {
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  ...
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  ...
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  allow-query { our-nets; };
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  allow-recursion { our-nets; };
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  ...
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  blackhole { bogusnets; };
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  ...
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt};
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntzone "example.com" {
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  type master;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  file "m/example.com";
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  allow-query { any; };
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt};
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</pre>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          This allows recursive queries of the server from the outside
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          unless recursion has been previously disabled.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          For more information on how to use ACLs to protect your server,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="sect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2593121"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</h2></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          a "sandbox", which will limit the damage done if a server is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          compromised.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          user 202:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="sect2" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2593197"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            In order for a <span><strong class="command">chroot</strong></span> environment
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            work properly in a particular directory
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            (for example, <code class="filename">/var/named</code>),
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            you will need to set up an environment that includes everything
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <acronym class="acronym">BIND</acronym> needs to run.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the root of the filesystem.  You will need to adjust the values of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            options like
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            for this.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Unlike with earlier versions of BIND, you typically will
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            statically nor install shared libraries under the new root.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            However, depending on your operating system, you may need
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            to set up things like
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">/dev/zero</code>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">/dev/random</code>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">/dev/log</code>, and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">/etc/localtime</code>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="sect2" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2593325"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Prior to running the <span><strong class="command">named</strong></span> daemon,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            use
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the <span><strong class="command">touch</strong></span> utility (to change file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            access and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            modification times) or the <span><strong class="command">chown</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            utility (to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            set the user id and/or group id) on files
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            to which you want <acronym class="acronym">BIND</acronym>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            to write.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<h3 class="title">Note</h3>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            unprivileged user, it will not be able to bind to new restricted
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            ports if the server is reloaded.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="sect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          Access to the dynamic
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          update facility should be strictly limited.  In earlier versions of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <acronym class="acronym">BIND</acronym>, the only way to do this was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          based on the IP
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          address of the host requesting the update, by listing an IP address
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          network prefix in the <span><strong class="command">allow-update</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          zone option.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          This method is insecure since the source address of the update UDP
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          packet
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          is easily forged.  Also note that if the IP addresses allowed by the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <span><strong class="command">allow-update</strong></span> option include the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          address of a slave
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          server which performs forwarding of dynamic updates, the master can
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          trivially attacked by sending the update to the slave, which will
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          forward it to the master with its own source IP address causing the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          master to approve it without question.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          For these reasons, we strongly recommend that updates be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          cryptographically authenticated by means of transaction signatures
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          option should
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          list only TSIG key names, not IP addresses or network
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          option can be used.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          Some sites choose to keep all dynamically-updated DNS data
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          in a subdomain and delegate that subdomain to a separate zone. This
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          way, the top-level zone containing critical data such as the IP
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          addresses
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          of public web and mail servers need not allow dynamic update at
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          all.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="navfooter">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<hr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<table width="100%" summary="Navigation footer">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="left">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="center">�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</table>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</body>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</html>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt