IPv6 and DNS for the residential service provider
Marco d'Itri
md at Linux.IT
Tue Sep 25 02:09:35 CEST 2012
On Sep 25, Tony Finch <dot at dotat.at> wrote:
> > With BIND you can easily limit non-authenticated updates to the IP
> > itself or to the network. This is not perfect, but it may be good enough
> > for consumer networks.
> In particular the tcp-self option is relatively tricky to spoof.
> ftp://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies
It is provably impossible to spoof if your network is designed correctly
(customers are not able to spoof other customers and no packets from
your own address space are accepted from the outside).
The problem with self-ip authorization is that on multiuser systems
any unautorized non-priviledged user could change the rDNS unless
precations (UID-based filtering) are taken.
But I believe that this is a reasonable tradeoff for consumer networks.
--
ciao,
Marco
More information about the ipv6-ops
mailing list