Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Update Security

7 views
Skip to first unread message

Bob McDonald

unread,
Mar 14, 2014, 12:24:28 PM3/14/14
to bind-...@lists.isc.org
I want to confirm my understanding of security of DDNS updates.

I have a stealth master "A" feeding slave "B" and "C".

I have allow-update-forwarding { any; } specified on "B" and "C".

If a client "D" presents an update to "B" or "C" it will automatically be forwarded to "A".

If "B" or "C" are in the allow-updates ACL on "A" all updates will be applied.

If "D" is in the allow-udates ACL on "A" (and not "B" or "C") the updates from "D" will be applied.  However an update from "E" presented to "B" or "C" will be forwarded but not processed.

Is this correct?

Bob

Mark Andrews

unread,
Mar 14, 2014, 12:41:34 PM3/14/14
to Bob McDonald, bind-...@isc.org

If you are going to forward updates use TSIG or SIG(0) to sign the
update and stop worrying about addresses. TSIG and SIG(0) are
billions and billions of times stronger authenticators than a IP
address.

"allow-update-forwarding { any; };" says forward all updates
regardless of the address they were sent from.

As for you question. Addresses are not preserved so A doesn't know
it came from E unless the messages are signed.

Mark

In message <CAM-YptcevrqfJN0371Zk43gyDt5TiEKusf4EW6=XPvzpwP=H...@mail.gmail.com>
No.

> Bob
>
> --001a11337302fad9ea04f49380b0
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr"><div><div><div><div><div><div><div>I want to confirm my un=
> derstanding of security of DDNS updates.<br><br></div>I have a stealth mast=
> er &quot;A&quot; feeding slave &quot;B&quot; and &quot;C&quot;.<br><br></di=
> v>
> I have allow-update-forwarding { any; } specified on &quot;B&quot; and &quo=
> t;C&quot;.<br><br></div>If a client &quot;D&quot; presents an update to &qu=
> ot;B&quot; or &quot;C&quot; it will automatically be forwarded to &quot;A&q=
> uot;.<br>
> <br></div>If &quot;B&quot; or &quot;C&quot; are in the allow-updates ACL on=
> &quot;A&quot; all updates will be applied.<br><br></div>If &quot;D&quot; i=
> s in the allow-udates ACL on &quot;A&quot; (and not &quot;B&quot; or &quot;=
> C&quot;) the updates from &quot;D&quot; will be applied.=A0 However an upda=
> te from &quot;E&quot; presented to &quot;B&quot; or &quot;C&quot; will be f=
> orwarded but not processed.<br>
> <br></div>Is this correct?<br><br></div>Bob<br><br></div>
>
> --001a11337302fad9ea04f49380b0--
>
> --===============4542560060445475228==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============4542560060445475228==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Bob McDonald

unread,
Mar 14, 2014, 1:50:17 PM3/14/14
to Mark Andrews, bind-...@isc.org
I agree that TSIG or SIG(0) signed updates are certainly a more desirable approach than allowing updates via address.  My DHCP server is setup to sign all of it's updates this way.  However, I have AD domain controllers in the environment that don't currently use signed updates.  Is there a fairly painless way to convert all the AD machines to signed updates?

TIA,

Bob

Chris Buxton

unread,
Mar 14, 2014, 8:36:57 PM3/14/14
to Bob McDonald, bind-...@isc.org
On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdo...@gmail.com> wrote:

> I agree that TSIG or SIG(0) signed updates are certainly a more desirable approach than allowing updates via address. My DHCP server is setup to sign all of it's updates this way. However, I have AD domain controllers in the environment that don't currently use signed updates. Is there a fairly painless way to convert all the AD machines to signed updates?

You would need to set up GSS-TSIG, which is not painless. (It's certainly doable, but there are plenty of pitfalls to overcome.) Windows doesn't support TSIG, just GSS-TSIG.

AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the master.

Regards,
Chris Buxton.

Bob McDonald

unread,
Mar 16, 2014, 6:32:40 AM3/16/14
to Chris Buxton, bind-...@isc.org
Ok so it's not painless.  Do the updates still get forwarded to the master by the slaves or do I need to have all Windows devices needing update capability to point at the master?

TIA,

Bob

Bob McDonald

unread,
Mar 17, 2014, 7:19:17 AM3/17/14
to Chris Buxton, bind-...@isc.org
Signed updates, that is...

Chris Buxton

unread,
Mar 17, 2014, 5:35:30 PM3/17/14
to Bob McDonald, bind-...@isc.org
On Mar 16, 2014, at 3:32 AM, Bob McDonald <bmcdo...@gmail.com> wrote:

Ok so it's not painless.  Do the updates still get forwarded to the master by the slaves or do I need to have all Windows devices needing update capability to point at the master?

TIA,

Bob

I don't believe it works with update forwarding. I've certainly never gotten it to work. However, Microsoft will send the updates tot he master listed in the SOA record, so as long as that shows your otherwise-hidden master, and firewall access is set up for it, everything should work fine.

Regards,
Chris Buxton

0 new messages