[Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
Jan Pazdziora
jpazdziora at redhat.com
Wed Dec 31 21:34:37 UTC 2014
On Wed, Dec 31, 2014 at 01:59:32PM -0500, Brendan Kearney wrote:
>
> i have played with nsupdate, and it does look like updates will be
> allowed if i remove the access restriction, but i am losing the
> authenticity of the update, since the TSIG shared secret signs the
> update.
The goal is not to remove the access restriction. The goal is to use
something like
update-policy {
grant DHCP\047dhcp-server.example.com at EXAMPLE.COM wildcard * ANY;
};
create service
DHCP/dhcp-server.example.com at EXAMPLE.COM
or some similar principal for your DHCP server, retrieve its keytab
(possibly with ipa-getkeytab), and then do
kinit -kt /the/path/to/the/dhcp/service.keytab
nsupdate -g
> regardless of authentication, client updates to DNS zones are still a
> risk and a rogue app or user can still perform direct updates to zones,
> leading to impersonation/interception of services, denial of service
> attacks and more.
In case of your DHCP use case, you certainly might not want to enable
the client updates. However, client updates are something different
than allowing a particular service (and only that service) to update
the zone records.
Also, note that how you enable the client updates matter. The wiki page
http://www.freeipa.org/page/FreeIPAv2:Dynamic_updates_with_GSS-TSIG
suggests
grant EXAMPLE.COM krb5-self * A;
which means that authenticated host can only change its own A record
-- it cannot impersonate another hostname like you suggest.
> endpoints, or their users, should not be trusted to
> make updates to DNS zones. TSIG signed updates from servers are still
> preferred over authenticated updates from endpoints or users.
Server has identity just like service, just like user. You can have
unimportant server and you can have important (admin) user. Ruling
out authentication
> i am using ISC DHCP, and cannot speak to any level of effort required to
> incorporate Kerberos into the code.
The page
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
shows how ISC DHCP's execute can be used to send the changes to
an external command, and that command can include the
kinit -kt + nsupdate -g combo.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list