17 Srp
2015
17 Srp
'15
0:41
Network renumbering requires that A and AAAA RRs are directly or
indirectly (DHCP) updated. This in turn requires dynamic DNS updates
(RFC 2136).
Although Knot DNS allows dynamic updates, it is not really prepared to
securely handle this scenario. Knot DNS can either allow an address or
key to update RRs in a zone via ACLs which is not fine-grained enough to
useful for this purpose because it is questionable from a security
perspective (under a certain threat model etc.). Assume that example.com
uses dynamic DNS updates to update A and AAAA RRs to be prepared to
renumber its network. If example.com uses a DHCP server to update the
RRs, it suffices to take over the DHCP server of example.com to update
any RRs in the zone of example.com, including NS, MX, TLSA and SSHFP
RRs. If every host of example.com updates its own A and AAAA RRs
directly and indirectly via a DHCP server, the problem is still the
same, even if you move every hostname in a separate zone, for example it
suffices to take over the webserver that serves example.com to change
the MX RRs of example.com. With more fine-grained ACLs the problem would
not exist.
Currently ACLs consist of a subject (address and key), operation
(transfer, notify, update, control) and object (zone). I think it would
suffice to extend the object of an ACL to a triple (zone, name, type)
similar to dynamic update policies in BIND. Perhaps it would also be
useful to be able to use wildcards and negation. Are there any plans to
extend the ACL mechanism in this way?
Regards,
Matthias-Christian
17 Srp
17 Srp
9:20
Hi,
Thanks for your comment. Yes, we already have a plan for fine-grained ACLs
https://gitlab.labs.nic.cz/labs/knot/issues/78
Regards,
Dan
On 08/17/2015 12:41 AM, Matthias-Christian Ott wrote:
Network renumbering requires that A and AAAA RRs are
directly or
indirectly (DHCP) updated. This in turn requires dynamic DNS updates
(RFC 2136).
Although Knot DNS allows dynamic updates, it is not really prepared to
securely handle this scenario. Knot DNS can either allow an address or
key to update RRs in a zone via ACLs which is not fine-grained enough to
useful for this purpose because it is questionable from a security
perspective (under a certain threat model etc.). Assume that example.com
uses dynamic DNS updates to update A and AAAA RRs to be prepared to
renumber its network. If example.com uses a DHCP server to update the
RRs, it suffices to take over the DHCP server of example.com to update
any RRs in the zone of example.com, including NS, MX, TLSA and SSHFP
RRs. If every host of example.com updates its own A and AAAA RRs
directly and indirectly via a DHCP server, the problem is still the
same, even if you move every hostname in a separate zone, for example it
suffices to take over the webserver that serves example.com to change
the MX RRs of example.com. With more fine-grained ACLs the problem would
not exist.
Currently ACLs consist of a subject (address and key), operation
(transfer, notify, update, control) and object (zone). I think it would
suffice to extend the object of an ACL to a triple (zone, name, type)
similar to dynamic update policies in BIND. Perhaps it would also be
useful to be able to use wildcards and negation. Are there any plans to
extend the ACL mechanism in this way?
Regards,
Matthias-Christian
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
3386
days inactive
3387
days old
1 comments
2 participants
participants (2)
-
Daniel Salzman -
Matthias-Christian Ott