Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp

Mon, 29 Dec 2014 16:18:29 -0800 

On Mon, 2014-12-29 at 16:53 -0500, Dmitri Pal wrote:
> On 12/29/2014 04:47 PM, Brendan Kearney wrote:
> > where can i find howto info around setting up bind-dyndb-ldap to accept
> > ddns updates from dhcp?  usually, i have a shared key defined in dns and
> > dhcp, and the updates are authenticated.  where are the docs for setting
> > this up in bind-dyndb-ldap?
> >
> I am not sure I understand the use case correctly.
> bind-dyndb-ldap isa back end driver for BIND to get data from an LDAP 
> storage.
> The updates are done by BIND. The IPA BIND accepts kerberos based updates.
> 
> http://www.freeipa.org/page/FreeIPAv2:Dynamic_updates_with_GSS-TSIG
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> 

this allows for a ticketed client to update DNS records directly, which
is not a best practice and is a huge security risk.  clients should not
be able to manipulate DNS zones.

dynamic updates to DNS zones should come from DHCP, where dynamic
addressing is managed.  as such, i have directives in DHCP and DNS to
establish authenticated updates between DHCP and DNS.  for example:

/etc/named.conf:

key "dhcp" {
        algorithm hmac-md5;
        secret SomeRandomString;
};
...
zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "dynamic/1.168.192.in-addr.arpa.db";
        allow-update { key dhcp; };
};

zone "bpk2.com" IN {
        type master;
        file "dynamic/bpk2.com.db";
        check-names ignore;
        allow-update { key dhcp; };
};

/etc/dhcp/dhcpd.conf

key "dhcp"{
        algorithm hmac-md5;
        secret SomeRandomString;
};

zone 1.168.192.in-addr.arpa {
        primary 192.168.1.1;
        key dhcp;
}

zone bpk2.com {
        primary 192.168.1.1;
        key dhcp;
}

because the DHCP daemon is not kerberized, the update policies do not
seem to cover the situation where clients are not allowed to update DNS
zones themselves.

i am wondering how to manage DDNS updates from DHCP, where kerberized
updates are not likely going to happen.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to