[Freeipa-devel] DNS update mechanism: news about update authorization

Simo Sorce simo at redhat.com
Fri Mar 1 14:39:25 UTC 2013 

On Fri, 2013-03-01 at 15:29 +0100, Petr Spacek wrote:
> Hello list,
> 
> we would like to share some news about DNS update mechanism:
> 
> - It is possible to allow particular principal to update all records in a zone.
> 
> - It is possible to allow clients to update own PTR records. PTR update can be 
> "authenticated and authorized" by source IP address of the TCP connection from 
> the client. E.g. client with IP address 192.0.2.31 is able to modify only PTR 
> record with name 31.0.2.192.in-addr.arpa., nothing else.
> 
> See examples in following how-to:
> http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG#Dynamic_update_policy
> 
> 
> Simo pointed to fact that "TCP authenticated" update requests can be more 
> secure than current approach with "PTR synchronization" magic (done inside 
> bind-dyndb-ldap).
> 
> Unfortunately, it is not possible to combine TCP "authentication" with 
> GSS-TSIG signature. BIND's ACL check mechanism stops at first match, so it is 
> not possible to combine multiple requirements.
> 
> 'tcp-self' rule ignores request signature completely. Implementation of (TCP 
> && signed) requirement will require patching BIND. I don't like that idea, 
> because we will deviate from plain BIND docs and it will cause confusion.
> 
> We can propose a change and send patches to ISC. It should be possible to 
> implement new 'tcp-signed-self' mechanism with only few lines of code. The 
> question is how it should behave:
> 
> Is *any* signature enough? I.e. anybody with valid Kerberos ticket is allowed 
> to do tcp-self update?

Should be at least a host/ principal, otherwise a mere user could change
the PTR record, would be even better if we can match the fqdn int the
host/ principal to the content of the PTR record.

So if you sign with principal for host/foo.bar.baz and come from
10.11.22.33 then you can only create a PTR record of 10.11.22.33 ->
foo.bar.baz

> Should we implement configurable realm check? I.e. the update will be allowed 
> only if the update is signed by principal from specified Kerberos realm?

This too would be nice but not as important.

> How it should work with Kerberos trusts?

You would prevent principals from a trusted domain to update DNS
entries.
Checking for the REALM part should be optional. 

> Also, it should be possible to implement more strict check: Updated name in 
> reverse zone (e.g. 31.0.2.192.in-addr.arpa.) has to match client's IP address 
> and *at the same time* name stored to PTR record has to match name in client's 
> principal.
> 
> Example:
> - client's IP address: 192.0.2.31
> - client's principal: host/client.example.com at TRUSTED.EXAMPLE.COM

Yeah I should have read the whole message trough before starting
replying :-)

> This particular client is allowed only to add record:
> 31.0.2.192.in-addr.arpa. IN PTR client.example.com.
> 
> Question is how to authorize record deletion. I tend to allow all delete 
> operations for (reverse) name matching client's IP address.

Yes this would be ok, worst case the PTR is lost.
Again I would allow only by principals of the type host/* or maybe DNS/*
not from every principal.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list