5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<HTML

11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User><HEAD

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><TITLE

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>BIND 9 Security Considerations</TITLE

4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater><META

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews"><LINK

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsHREF="Bv9ARM.html"><LINK

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsHREF="Bv9ARM.ch06.html"><LINK

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsHREF="Bv9ARM.ch08.html"></HEAD

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><BODY

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DIV

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><TABLE

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><TR

0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater><TH

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>BIND 9 Administrator Reference Manual</TH

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TR

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><TR

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Prev</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Next</A

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></TR

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></TABLE

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><HR

14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntWIDTH="100%"></DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><H1

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Chapter 7. <SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>BIND</SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> 9 Security Considerations</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></H1

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DL

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DT

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Table of Contents</B

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DT

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>7.1. <A

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>Access Control Lists</A

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DT

b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User>7.2. <A

b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User><B

b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User>chroot</B

b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User> and <B

b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User>setuid</B

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews> (for

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsUNIX servers)</A

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DT

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DT

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>7.3. <A

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>Dynamic Update Security</A

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DT

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DL

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><H1

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>7.1. Access Control Lists</A

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></H1

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Access Control Lists (ACLs), are address match lists that

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Useryou can set up and nickname for future use in <B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>allow-notify</B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>,

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<B

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>allow-query</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>, <B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>allow-recursion</B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>,

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>blackhole</B

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>, <B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>allow-transfer</B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>,

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Useretc.</P

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><P

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>Using ACLs allows you to have finer control over who can access

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Useryour nameserver, without cluttering up your config files with huge

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Userlists of IP addresses.</P

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>It is a <I

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>good idea</I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> to use ACLs, and to

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntcontrol access to your server. Limiting access to your server by

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Useroutside parties can help prevent spoofing and DoS attacks against

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Useryour server.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>Here is an example of how to properly apply ACLs:</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><PRE

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt// which is commonly used in spoofing attacks.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt// Set up an ACL called our-nets. Replace this with the real IP numbers.

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntacl our-nets { x.x.x.x/24; x.x.x.x/21; };

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Useroptions {

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User ...

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User ...

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User allow-query { our-nets; };

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt allow-recursion { our-nets; };

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ...

d3ddafd7469d1f3430ccd1b0fe0d13ccbbaf5debTinderbox User blackhole { bogusnets; };

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ...

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt};

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Userzone "example.com" {

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User type master;

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt file "m/example.com";

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt allow-query { any; };

6d45011a65dfc43f476ca15c3fd9ee5227eb968fTinderbox User};

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</PRE

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>This allows recursive queries of the server from the outside

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntunless recursion has been previously disabled.</P

6d45011a65dfc43f476ca15c3fd9ee5227eb968fTinderbox User><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>For more information on how to use ACLs to protect your server,

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntsee the <I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>AUSCERT</I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> advisory at

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<A

c247e3f281613fabe1af362e9f3157e35ebbe52cMark Andrews>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></DIV

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><DIV

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><H1

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><A

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>7.2. <B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>chroot</B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User> and <B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>setuid</B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User> (for

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox UserUNIX servers)</A

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></H1

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>On UNIX servers, it is possible to run <SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>BIND</SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> in a <I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>chrooted</I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> environment

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt(<B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>chroot()</B

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>) by specifying the "<TT

0ccb0e98c77a9b9636a036f8f64f5679a430aaf4Tinderbox User>-t</TT

0ccb0e98c77a9b9636a036f8f64f5679a430aaf4Tinderbox User>"

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntoption. This can help improve system security by placing <SPAN

395c95214142142854509945adf3293c0270e1c5Tinderbox User>BIND</SPAN

395c95214142142854509945adf3293c0270e1c5Tinderbox User> in

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunta "sandbox," which will limit the damage done if a server is compromised.</P

395c95214142142854509945adf3293c0270e1c5Tinderbox User><P

395c95214142142854509945adf3293c0270e1c5Tinderbox User>Another useful feature in the UNIX version of <SPAN

395c95214142142854509945adf3293c0270e1c5Tinderbox User>BIND</SPAN

395c95214142142854509945adf3293c0270e1c5Tinderbox User> is the

395c95214142142854509945adf3293c0270e1c5Tinderbox Userability to run the daemon as a nonprivileged user ( <TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User>-u</TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User> <TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User><I

395c95214142142854509945adf3293c0270e1c5Tinderbox User>user</I

395c95214142142854509945adf3293c0270e1c5Tinderbox User></TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User> ).

395c95214142142854509945adf3293c0270e1c5Tinderbox UserWe suggest running as a nonprivileged user when using the <B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>chroot</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> feature.</P

395c95214142142854509945adf3293c0270e1c5Tinderbox User><P

395c95214142142854509945adf3293c0270e1c5Tinderbox User>Here is an example command line to load <SPAN

395c95214142142854509945adf3293c0270e1c5Tinderbox User>BIND</SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> in a <B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>chroot()</B

395c95214142142854509945adf3293c0270e1c5Tinderbox User> sandbox,

395c95214142142854509945adf3293c0270e1c5Tinderbox User<B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>/var/named</B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>, and to run <B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>named</B

395c95214142142854509945adf3293c0270e1c5Tinderbox User> <B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>setuid</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> to

395c95214142142854509945adf3293c0270e1c5Tinderbox Useruser 202:</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

395c95214142142854509945adf3293c0270e1c5Tinderbox User><TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>/usr/local/bin/named -u 202 -t /var/named</B

395c95214142142854509945adf3293c0270e1c5Tinderbox User></TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></P

6d45011a65dfc43f476ca15c3fd9ee5227eb968fTinderbox User><DIV

395c95214142142854509945adf3293c0270e1c5Tinderbox User><H2

395c95214142142854509945adf3293c0270e1c5Tinderbox User><A

395c95214142142854509945adf3293c0270e1c5Tinderbox User>7.2.1. The <B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>chroot</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> Environment</A

395c95214142142854509945adf3293c0270e1c5Tinderbox User></H2

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

395c95214142142854509945adf3293c0270e1c5Tinderbox User>In order for a <B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>chroot()</B

395c95214142142854509945adf3293c0270e1c5Tinderbox User> environment to

395c95214142142854509945adf3293c0270e1c5Tinderbox Userwork properly in a particular directory

395c95214142142854509945adf3293c0270e1c5Tinderbox User(for example, <TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>/var/named</TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>),

395c95214142142854509945adf3293c0270e1c5Tinderbox Useryou will need to set up an environment that includes everything

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>BIND</SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> needs to run.

395c95214142142854509945adf3293c0270e1c5Tinderbox UserFrom <SPAN

395c95214142142854509945adf3293c0270e1c5Tinderbox User>BIND</SPAN

395c95214142142854509945adf3293c0270e1c5Tinderbox User>'s point of view, <TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>/var/named</TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User> is

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntthe root of the filesystem. You will need to adjust the values of options like

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntlike <B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>directory</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> and <B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>pid-file</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> to account

395c95214142142854509945adf3293c0270e1c5Tinderbox Userfor this.

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

395c95214142142854509945adf3293c0270e1c5Tinderbox User>&#13;Unlike with earlier versions of BIND, you will typically

395c95214142142854509945adf3293c0270e1c5Tinderbox User<I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>not</I

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> need to compile <B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>named</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>

395c95214142142854509945adf3293c0270e1c5Tinderbox Userstatically nor install shared libraries under the new root.

395c95214142142854509945adf3293c0270e1c5Tinderbox UserHowever, depending on your operating system, you may need

395c95214142142854509945adf3293c0270e1c5Tinderbox Userto set up things like

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User>/dev/zero</TT

4f9cb7bd58e2c0a7407fee3758ea265aee329ac6Tinderbox User>,

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User>/dev/random</TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User>,

395c95214142142854509945adf3293c0270e1c5Tinderbox User<TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User>/dev/log</TT

395c95214142142854509945adf3293c0270e1c5Tinderbox User>, and/or

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<TT

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>/etc/localtime</TT

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>.

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</P

395c95214142142854509945adf3293c0270e1c5Tinderbox User></DIV

0ccb0e98c77a9b9636a036f8f64f5679a430aaf4Tinderbox User><DIV

395c95214142142854509945adf3293c0270e1c5Tinderbox User><H2

395c95214142142854509945adf3293c0270e1c5Tinderbox User><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>7.2.2. Using the <B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>setuid</B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User> Function</A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></H2

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>Prior to running the <B

0ccb0e98c77a9b9636a036f8f64f5679a430aaf4Tinderbox User>named</B

0ccb0e98c77a9b9636a036f8f64f5679a430aaf4Tinderbox User> daemon, use

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntthe <B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>touch</B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User> utility (to change file access and

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntmodification times) or the <B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>chown</B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User> utility (to

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Userset the user id and/or group id) on files

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntto which you want <SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>BIND</SPAN

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Userto write. Note that if the <B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>named</B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User> daemon is running as a

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox Usernonprivileged user, it will not be able to bind to new restricted ports if the

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntserver is reloaded.</P

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DIV

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><H1

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><A

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>7.3. Dynamic Update Security</A

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></H1

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><P

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>Access to the dynamic

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntupdate facility should be strictly limited. In earlier versions of

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<SPAN

0ccb0e98c77a9b9636a036f8f64f5679a430aaf4Tinderbox User>BIND</SPAN

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> the only way to do this was based on the IP

395c95214142142854509945adf3293c0270e1c5Tinderbox Useraddress of the host requesting the update, by listing an IP address or

395c95214142142854509945adf3293c0270e1c5Tinderbox Usernetwork prefix in the <B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>allow-update</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> zone option.

395c95214142142854509945adf3293c0270e1c5Tinderbox UserThis method is insecure since the source address of the update UDP packet

395c95214142142854509945adf3293c0270e1c5Tinderbox Useris easily forged. Also note that if the IP addresses allowed by the

395c95214142142854509945adf3293c0270e1c5Tinderbox User<B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>allow-update</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> option include the address of a slave

395c95214142142854509945adf3293c0270e1c5Tinderbox Userserver which performs forwarding of dynamic updates, the master can be

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunttrivially attacked by sending the update to the slave, which will

395c95214142142854509945adf3293c0270e1c5Tinderbox Userforward it to the master with its own source IP address causing the

395c95214142142854509945adf3293c0270e1c5Tinderbox Usermaster to approve it without question.</P

395c95214142142854509945adf3293c0270e1c5Tinderbox User><P

395c95214142142854509945adf3293c0270e1c5Tinderbox User>For these reasons, we strongly recommend that updates be

395c95214142142854509945adf3293c0270e1c5Tinderbox Usercryptographically authenticated by means of transaction signatures

395c95214142142854509945adf3293c0270e1c5Tinderbox User(TSIG). That is, the <B

395c95214142142854509945adf3293c0270e1c5Tinderbox User>allow-update</B

395c95214142142854509945adf3293c0270e1c5Tinderbox User> option should

395c95214142142854509945adf3293c0270e1c5Tinderbox Userlist only TSIG key names, not IP addresses or network

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntprefixes. Alternatively, the new <B

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>update-policy</B

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>

395c95214142142854509945adf3293c0270e1c5Tinderbox Useroption can be used.</P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Some sites choose to keep all dynamically updated DNS data

395c95214142142854509945adf3293c0270e1c5Tinderbox Userin a subdomain and delegate that subdomain to a separate zone. This

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntway, the top-level zone containing critical data such as the IP addresses

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntof public web and mail servers need not allow dynamic update at

395c95214142142854509945adf3293c0270e1c5Tinderbox Userall.</P

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></DIV

395c95214142142854509945adf3293c0270e1c5Tinderbox User><DIV

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><HR

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox UserWIDTH="100%"><TABLE

61ab11c0ec845606f85452b2c9f2e223772aae00Tinderbox User><TR

61ab11c0ec845606f85452b2c9f2e223772aae00Tinderbox User><TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><A

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>Prev</A

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><A

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>Home</A

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><A

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Next</A

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></TR

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><TR

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><SPAN

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>BIND</SPAN

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User> 9 Configuration Reference</TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>&nbsp;</TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User><TD

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>Troubleshooting</TD

14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></TR

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></TABLE

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></DIV

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></BODY

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User></HTML

659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User>