doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision c11135d39e82f0cd1c67869c535f4af77cd8eda6
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<!--
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - Copyright (C) 2000-2003 Internet Software Consortium.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen -
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - Permission to use, copy, modify, and/or distribute this software for any
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - purpose with or without fee is hereby granted, provided that the above
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - copyright notice and this permission notice appear in all copies.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen -
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen - PERFORMANCE OF THIS SOFTWARE.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen-->
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<!-- $Id$ -->
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<html>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<head>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<title>Chapter�7.�BIND 9 Security Considerations</title>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</head>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="navheader">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<table width="100%" summary="Navigation header">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<tr>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<td width="20%" align="left">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<th width="60%" align="center">�</th>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</td>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</tr>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</table>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<hr>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="chapter" lang="en">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="titlepage"><div><div><h2 class="title">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="toc">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p><b>Table of Contents</b></p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dl>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2605225"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><dl>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605306">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605366">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</dl></dd>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</dl>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="sect1" lang="en">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          Access Control Lists (ACLs) are address match lists that
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          etc.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          Using ACLs allows you to have finer control over who can access
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          your name server, without cluttering up your config files with huge
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          lists of IP addresses.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          control access to your server. Limiting access to your server by
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          outside parties can help prevent spoofing and denial of service (DoS) attacks against
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          your server.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          Here is an example of how to properly apply ACLs:
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<pre class="programlisting">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen// Set up an ACL named "bogusnets" that will block
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen// RFC1918 space and some reserved space, which is
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen// commonly used in spoofing attacks.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowenacl bogusnets {
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen};
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen// Set up an ACL called our-nets. Replace this with the
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen// real IP numbers.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowenacl our-nets { x.x.x.x/24; x.x.x.x/21; };
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowenoptions {
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  ...
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  ...
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  allow-query { our-nets; };
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  allow-recursion { our-nets; };
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  ...
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  blackhole { bogusnets; };
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  ...
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen};
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowenzone "example.com" {
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  type master;
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  file "m/example.com";
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen  allow-query { any; };
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen};
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</pre>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          This allows recursive queries of the server from the outside
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          unless recursion has been previously disabled.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="sect1" lang="en">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="id2605225"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</h2></div></div></div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          in a <span class="emphasis"><em>chrooted</em></span> environment (using
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          the <span><strong class="command">chroot()</strong></span> function) by specifying
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          This can help improve system security by placing
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          the damage done if a server is compromised.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          user 202:
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen        </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="sect2" lang="en">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="titlepage"><div><div><h3 class="title">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="id2605306"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            In order for a <span><strong class="command">chroot</strong></span> environment
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            to
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            work properly in a particular directory
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            (for example, <code class="filename">/var/named</code>),
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            you will need to set up an environment that includes everything
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            <acronym class="acronym">BIND</acronym> needs to run.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            the root of the filesystem.  You will need to adjust the values of
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            options like
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            for this.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            Unlike with earlier versions of BIND, you typically will
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            statically nor install shared libraries under the new root.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            However, depending on your operating system, you may need
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            to set up things like
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            <code class="filename">/dev/zero</code>,
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            <code class="filename">/dev/random</code>,
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            <code class="filename">/dev/log</code>, and
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            <code class="filename">/etc/localtime</code>.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="sect2" lang="en">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="titlepage"><div><div><h3 class="title">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="id2605366"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            Prior to running the <span><strong class="command">named</strong></span> daemon,
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            use
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            the <span><strong class="command">touch</strong></span> utility (to change file
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            access and
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            modification times) or the <span><strong class="command">chown</strong></span>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            utility (to
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            set the user id and/or group id) on files
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            to which you want <acronym class="acronym">BIND</acronym>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            to write.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          </p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<h3 class="title">Note</h3>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            unprivileged user, it will not be able to bind to new restricted
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen            ports if the server is reloaded.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          </div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="sect1" lang="en">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          Access to the dynamic
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          update facility should be strictly limited.  In earlier versions of
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          <acronym class="acronym">BIND</acronym>, the only way to do this was
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          based on the IP
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          address of the host requesting the update, by listing an IP address
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          or
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          network prefix in the <span><strong class="command">allow-update</strong></span>
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          zone option.
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          This method is insecure since the source address of the update UDP
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          packet
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          is easily forged.  Also note that if the IP addresses allowed by the
5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen          <span><strong class="command">allow-update</strong></span> option include the
          address of a slave
          server which performs forwarding of dynamic updates, the master can
          be
          trivially attacked by sending the update to the slave, which will
          forward it to the master with its own source IP address causing the
          master to approve it without question.
        </p>
<p>
          For these reasons, we strongly recommend that updates be
          cryptographically authenticated by means of transaction signatures
          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
          option should
          list only TSIG key names, not IP addresses or network
          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
          option can be used.
        </p>
<p>
          Some sites choose to keep all dynamically-updated DNS data
          in a subdomain and delegate that subdomain to a separate zone. This
          way, the top-level zone containing critical data such as the IP
          addresses
          of public web and mail servers need not allow dynamic update at
          all.
        </p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
<td width="20%" align="center">�</td>
<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
</tr>
</table>
</div>
</body>
</html>