[Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
Loris Santamaria
loris at lgs.com.ve
Wed Dec 31 21:12:10 UTC 2014
El mié, 31-12-2014 a las 13:59 -0500, Brendan Kearney escribió:
> regardless of authentication, client updates to DNS zones are still a
> risk and a rogue app or user can still perform direct updates to zones,
> leading to impersonation/interception of services, denial of service
> attacks and more. endpoints, or their users, should not be trusted to
> make updates to DNS zones. TSIG signed updates from servers are still
> preferred over authenticated updates from endpoints or users.
Not really. With the default ipa configuration (grant ZONE.COM krb5-self
* A) the worst that could do the administrator of a workstation, with
access to the host keytab, is point the A record of her workstation to a
wrong address.
Please note that someone able to read the host keytab (root on the
workstation) could simply skip dhcp negotiation and assign to her
workstation any address she likes.
With the default ipa configuration a workstation can only set _its_ A,
AAAA and SSHFP records. No less and no more.
Best regards
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5693 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141231/c9bc69e1/attachment.bin>
More information about the Freeipa-users
mailing list