Udo Zumdick wrote:
One other way I know is to use Dynamic DNS, but it is more complicated and
(in my opinion) also sort of unsecure.
Isn't that kind of like saying modifying a file is "sort of unsecure"?
You don't let random people modify your files without proper
protections/permissions/processes in place, do you? And if it's a file
you really care about (e.g. has legal significance, governmental
significance, or something that directly affects your competitiveness in
the marketplace), you'd better have a robust auditing/logging regime so
you can see who changed it how and when. Preferably even some sort of
"versioning" so you can roll back the file to an earlier version if
necessary.
Same thing with Dynamic Update in DNS. If you're naive enough to simply
slap an "allow-update" on your zone(s), specifying IP addresses from
ranges you don't trust to the n'th degree, then shame on you. That would
be like having a world-writable file on your public-facing server
containing sensitive business-critical data.
Here, we only allow Dynamic Updates from the local box (in a few cases)
or (much more commonly) with a TSIG key. And we don't make that TSIG key
available to anyone outside of our own little trusted group (3 people)
directly. Everyone else goes through a fairly elaborate web interface
with an associated robust Access Control Subsystem, which ultimately
fetches the appropriate TSIG key behind the scenes when it's time to
make the actual Dynamic Update to DNS (after a bunch of permissions and
sanity/consistency checks have been performed).
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
