[Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp

Jan Pazdziora jpazdziora at redhat.com
Wed Dec 31 21:34:37 UTC 2014 

On Wed, Dec 31, 2014 at 01:59:32PM -0500, Brendan Kearney wrote:
> 
> i have played with nsupdate, and it does look like updates will be
> allowed if i remove the access restriction, but i am losing the
> authenticity of the update, since the TSIG shared secret signs the
> update.

The goal is not to remove the access restriction. The goal is to use
something like

	update-policy {
		grant DHCP\047dhcp-server.example.com at EXAMPLE.COM wildcard * ANY;
	};

create service

	DHCP/dhcp-server.example.com at EXAMPLE.COM

or some similar principal for your DHCP server, retrieve its keytab
(possibly with ipa-getkeytab), and then do

	kinit -kt /the/path/to/the/dhcp/service.keytab
	nsupdate -g

> regardless of authentication, client updates to DNS zones are still a
> risk and a rogue app or user can still perform direct updates to zones,
> leading to impersonation/interception of services, denial of service
> attacks and more.

In case of your DHCP use case, you certainly might not want to enable
the client updates. However, client updates are something different
than allowing a particular service (and only that service) to update
the zone records.

Also, note that how you enable the client updates matter. The wiki page

	http://www.freeipa.org/page/FreeIPAv2:Dynamic_updates_with_GSS-TSIG

suggests

	grant EXAMPLE.COM krb5-self * A;

which means that authenticated host can only change its own A record
-- it cannot impersonate another hostname like you suggest.

> endpoints, or their users, should not be trusted to
> make updates to DNS zones.  TSIG signed updates from servers are still
> preferred over authenticated updates from endpoints or users.

Server has identity just like service, just like user. You can have
unimportant server and you can have important (admin) user. Ruling
out authentication

> i am using ISC DHCP, and cannot speak to any level of effort required to
> incorporate Kerberos into the code.

The page

	http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/

shows how ISC DHCP's execute can be used to send the changes to
an external command, and that command can include the
kinit -kt + nsupdate -g combo.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Freeipa-users mailing list