[Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
Jan Pazdziora
jpazdziora at redhat.com
Wed Dec 31 21:40:19 UTC 2014
On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote:
>
> > endpoints, or their users, should not be trusted to
> > make updates to DNS zones. TSIG signed updates from servers are still
> > preferred over authenticated updates from endpoints or users.
>
> Server has identity just like service, just like user. You can have
> unimportant server and you can have important (admin) user. Ruling
> out authentication
... oops, I seem to have failed to finish this paragraph.
Ruling out authentication of identities means that you give up on
centrally controlled access policies -- something that FreeIPA is
good at, besides just storing identities.
In other words, instead of having increasing number of shared
secrets around your network, it might be useful to adopt the
approach when idenities can get created without many restrictions,
and what you allow those identities to do is what matters.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list