IPv6 and DNS for the residential service provider

Tony Finch dot at dotat.at
Tue Sep 25 01:42:21 CEST 2012


Marco d'Itri <md at Linux.IT> wrote:
> On Sep 24, Ron Vachiyer <proutfoo at outlook.com> wrote:
>
> > I would agree, except that TSIG-less updates are open to DoS as pretty
> > much anyone that can reach the authoritative DNS can update whatever
> > record they like without authentication.  Unless you are suggesting
> > using some sort of client on the customer side to perform the updates
> > using a key-exchange system of some sort?
>
> With BIND you can easily limit non-authenticated updates to the IP
> itself or to the network. This is not perfect, but it may be good enough
> for consumer networks.

In particular the tcp-self option is relatively tricky to spoof.
ftp://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.



More information about the ipv6-ops mailing list