On 29 Oct 2018, at 10:40, Jim Popovitch via mailop wrote:
You allow nsupdate from your cgi/php/java enabled webserver(s)?
My **what?*** Are you high? Do you mean to be insulting???
But no, I don't run anything on my webserver that modifies its own DNS.
Although I would be vulnerable in theory to something on that machine
doing a specific update via the right RFC1918 interface using the right
hmac-sha512 key after installing nsupdate, guessing or stealing the key
from a substantially more hardened machine, and figuring out which
RFC1918 interface on which nameserver allows updates. At which point all
the attacker could do would be to add or remove a TXT record for a label
that is only used for ACME validation.
So no, I do not use the sort of simplistic security that causes BIND to
whine every time it loads its config and despite my longtime nickname, I
am not a total clown.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
