Re: Update Security

2014-03-17 Thread Chris Buxton
On Mar 16, 2014, at 3:32 AM, Bob McDonald wrote: > Ok so it's not painless. Do the updates still get forwarded to the master by > the slaves or do I need to have all Windows devices needing update capability > to point at the master? > > TIA, > > Bob I don't believe it works with update for

Re: Update Security

2014-03-17 Thread Bob McDonald
Signed updates, that is... On Sun, Mar 16, 2014 at 5:32 AM, Bob McDonald wrote: > Ok so it's not painless. Do the updates still get forwarded to the master > by the slaves or do I need to have all Windows devices needing update > capability to point at the master? > > TIA, > > Bob > > > > On F

Re: Update Security

2014-03-16 Thread Bob McDonald
Ok so it's not painless. Do the updates still get forwarded to the master by the slaves or do I need to have all Windows devices needing update capability to point at the master? TIA, Bob On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton wrote: > On Mar 14, 2014, at 10:50 AM, Bob McDonald wrote

Re: Update Security

2014-03-14 Thread Chris Buxton
On Mar 14, 2014, at 10:50 AM, Bob McDonald wrote: > I agree that TSIG or SIG(0) signed updates are certainly a more desirable > approach than allowing updates via address. My DHCP server is setup to sign > all of it's updates this way. However, I have AD domain controllers in the > environme

Re: Update Security

2014-03-14 Thread Bob McDonald
I agree that TSIG or SIG(0) signed updates are certainly a more desirable approach than allowing updates via address. My DHCP server is setup to sign all of it's updates this way. However, I have AD domain controllers in the environment that don't currently use signed updates. Is there a fairly

Re: Update Security

2014-03-14 Thread Mark Andrews
If you are going to forward updates use TSIG or SIG(0) to sign the update and stop worrying about addresses. TSIG and SIG(0) are billions and billions of times stronger authenticators than a IP address. "allow-update-forwarding { any; };" says forward all updates regardless of the address they w