[Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp
Petr Spacek
pspacek at redhat.com
Mon Jan 5 08:34:48 UTC 2015
On 31.12.2014 22:40, Jan Pazdziora wrote:
> On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote:
>>
>>> endpoints, or their users, should not be trusted to
>>> make updates to DNS zones. TSIG signed updates from servers are still
>>> preferred over authenticated updates from endpoints or users.
>>
>> Server has identity just like service, just like user. You can have
>> unimportant server and you can have important (admin) user. Ruling
>> out authentication
>
> ... oops, I seem to have failed to finish this paragraph.
>
> Ruling out authentication of identities means that you give up on
> centrally controlled access policies -- something that FreeIPA is
> good at, besides just storing identities.
>
> In other words, instead of having increasing number of shared
> secrets around your network, it might be useful to adopt the
> approach when idenities can get created without many restrictions,
> and what you allow those identities to do is what matters.
Generally I agree with Jan.
If you insist on using TSIG, you can do that manually by editing named.conf on
IPA servers:
http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list