On Mon, Dec 29, 2014 at 07:12:26PM -0500, Brendan Kearney wrote: > On Mon, 2014-12-29 at 16:53 -0500, Dmitri Pal wrote: > > bind-dyndb-ldap isa back end driver for BIND to get data from an LDAP > > storage. > > The updates are done by BIND. The IPA BIND accepts kerberos based updates. > > > > http://www.freeipa.org/page/FreeIPAv2:Dynamic_updates_with_GSS-TSIG > > this allows for a ticketed client to update DNS records directly, which > is not a best practice and is a huge security risk. clients should not > be able to manipulate DNS zones.
Only if you configure that. But you don't have to grant krb5-self, you can grant the SERVICE\047ipaserver.example....@example.com wildcard * ANY; and just have the DHCP service call nsupdate -g. > dynamic updates to DNS zones should come from DHCP, where dynamic > addressing is managed. as such, i have directives in DHCP and DNS to > establish authenticated updates between DHCP and DNS. for example: > > /etc/named.conf: > > key "dhcp" { > algorithm hmac-md5; > secret SomeRandomString; > }; With FreeIPA, Kerberos authentication is really the preferred way of integrating pieces together because it provides the identity of the service running the action, not just some shared secret / password. > because the DHCP daemon is not kerberized, the update policies do not [...] > i am wondering how to manage DDNS updates from DHCP, where kerberized > updates are not likely going to happen. What DHCP software is that and how hard would it be to Kerberize it? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project