Bv9ARM.ch07.html revision c986916269e0d9ca0a31efb62ff5ac06938815db
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<!--
70e5a7403f0e0a3bd292b8287c5fed5772c15270Automatic Updater - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence -
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - purpose with or without fee is hereby granted, provided that the above
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - copyright notice and this permission notice appear in all copies.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence -
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence-->
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<!-- $Id$ -->
3fb1637c9265cc593973326ae193783413f68699Tatuya JINMEI 神明達哉<html>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<head>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<title>Chapter�7.�BIND 9 Security Considerations</title>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
29747dfe5e073a299b3681e01f5c55540f8bfed7Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
899f7f9af527d3dfe8345dcc8210d7c23fc950afDavid Lawrence<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
c4717613e45323ed23dc6e9162cba89f1f83830cDavid Lawrence</head>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9550eb2dab1d03e03e6c060f92e655d47ac1fc1bMichael Graff<div class="navheader">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation header">
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson<tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="left">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<th width="60%" align="center">�</th>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</table>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<hr>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein</div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="chapter" lang="en">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="titlepage"><div><div><h2 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="toc">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><b>Table of Contents</b></p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dl>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2605300"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<dd><dl>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605381">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605441">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein</dl></dd>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</dl>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="sect1" lang="en">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Access Control Lists (ACLs) are address match lists that
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence etc.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Using ACLs allows you to have finer control over who can access
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence your name server, without cluttering up your config files with huge
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence lists of IP addresses.
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence </p>
959cf5e112c41ba8da2a202f51bc0c7a3cf47f68Tatuya JINMEI 神明達哉<p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence control access to your server. Limiting access to your server by
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein outside parties can help prevent spoofing and denial of service (DoS) attacks against
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein your server.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein </p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Here is an example of how to properly apply ACLs:
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<pre class="programlisting">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence// Set up an ACL named "bogusnets" that will block
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence// RFC1918 space and some reserved space, which is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence// commonly used in spoofing attacks.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeinacl bogusnets {
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein};
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein// Set up an ACL called our-nets. Replace this with the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence// real IP numbers.
d409ceeda41a256e8114423674d844d5f5035ee8Bob Halleyacl our-nets { x.x.x.x/24; x.x.x.x/21; };
fc80027fb54b501cdd88461bf879d078259e0226David Lawrenceoptions {
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson ...
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ...
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence allow-query { our-nets; };
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson allow-recursion { our-nets; };
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ...
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein blackhole { bogusnets; };
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein ...
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence};
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson
fc80027fb54b501cdd88461bf879d078259e0226David Lawrencezone "example.com" {
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence type master;
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson file "m/example.com";
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence allow-query { any; };
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein};
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</pre>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein This allows recursive queries of the server from the outside
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein unless recursion has been previously disabled.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence </p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="sect1" lang="en">
8862388bcb44f634cbfc3e69f11ff4cb76590a4bMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
8862388bcb44f634cbfc3e69f11ff4cb76590a4bMark Andrews<a name="id2605300"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</h2></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein in a <span class="emphasis"><em>chrooted</em></span> environment (using
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein the <span><strong class="command">chroot()</strong></span> function) by specifying
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence This can help improve system security by placing
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the damage done if a server is compromised.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
61e9c1cdbe29683bb2db388e4fc6a6fd59315cefDavid Lawrence ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence user 202:
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence </p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="sect2" lang="en">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<a name="id2605381"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p>
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff In order for a <span><strong class="command">chroot</strong></span> environment
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence work properly in a particular directory
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (for example, <code class="filename">/var/named</code>),
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff you will need to set up an environment that includes everything
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <acronym class="acronym">BIND</acronym> needs to run.
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer the root of the filesystem. You will need to adjust the values of
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer options like
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence for this.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein </p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p>
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff Unlike with earlier versions of BIND, you typically will
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff statically nor install shared libraries under the new root.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence However, depending on your operating system, you may need
5fe5a0c02634eaadfcbc3528bf2c184557110a3bAndreas Gustafsson to set up things like
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <code class="filename">/dev/zero</code>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">/dev/random</code>,
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff <code class="filename">/dev/log</code>, and
df0f58959ed82a2a43ca8d816ce9592541df9f2fMark Andrews <code class="filename">/etc/localtime</code>.
ecf7a1812527d5557564b71363dabec491980246Mark Andrews </p>
88f7da46901f5d1218e354768674e72e9190d05aMichael Graff</div>
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff<div class="sect2" lang="en">
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence<div class="titlepage"><div><div><h3 class="title">
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence<a name="id2605441"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence Prior to running the <span><strong class="command">named</strong></span> daemon,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein use
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the <span><strong class="command">touch</strong></span> utility (to change file
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence access and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence modification times) or the <span><strong class="command">chown</strong></span>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein utility (to
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence set the user id and/or group id) on files
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence to which you want <acronym class="acronym">BIND</acronym>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence to write.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein </p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<h3 class="title">Note</h3>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence Note that if the <span><strong class="command">named</strong></span> daemon is running as an
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence unprivileged user, it will not be able to bind to new restricted
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein ports if the server is reloaded.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence </div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein</div>
1b106e224d3931e85d68c091fe1ec7758d9f07cbAndreas Gustafsson</div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="sect1" lang="en">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Access to the dynamic
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence update facility should be strictly limited. In earlier versions of
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <acronym class="acronym">BIND</acronym>, the only way to do this was
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence based on the IP
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence address of the host requesting the update, by listing an IP address
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein or
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence network prefix in the <span><strong class="command">allow-update</strong></span>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence zone option.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence This method is insecure since the source address of the update UDP
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence packet
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence is easily forged. Also note that if the IP addresses allowed by the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span><strong class="command">allow-update</strong></span> option include the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence address of a slave
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein server which performs forwarding of dynamic updates, the master can
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence be
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence trivially attacked by sending the update to the slave, which will
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence forward it to the master with its own source IP address causing the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence master to approve it without question.
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence </p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence For these reasons, we strongly recommend that updates be
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence cryptographically authenticated by means of transaction signatures
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein option should
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein list only TSIG key names, not IP addresses or network
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein option can be used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence </p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Some sites choose to keep all dynamically-updated DNS data
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein in a subdomain and delegate that subdomain to a separate zone. This
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence way, the top-level zone containing critical data such as the IP
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence addresses
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein of public web and mail servers need not allow dynamic update at
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence all.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence </p>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein</div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein</div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="navfooter">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<hr>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<table width="100%" summary="Navigation footer">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<tr>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<td width="40%" align="left">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="center">�</td>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence</tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<tr>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence</tr>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence</table>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence</div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein</body>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence</html>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence