1

I've set up Bind to allow hosts to update only their own DNS entries, but I'm having trouble with the reverse DNS portion of this. My configuration is as follows:

named.conf

options {
    listen-on port 53 { 127.0.0.1; 10.9.10.10; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; 10.0.0.0/8; };
    recursion yes;
    allow-recursion { 10.0.0.0/8; };

    dnssec-enable yes;
    dnssec-validation no;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};

logging {
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "mydomain.com.keys";
zone "mydomain.com" IN {
    type master;
    file "dynamic/forward.mydomain.com.zone";
    update-policy {
            grant *.mydomain.com self *.mydomain.com A TXT;
    };
};

zone "9.10.in-addr.arpa" IN {
    type master;
    file "dynamic/reverse.mydomain.com.zone";
    update-policy {
            grant * tcp-self * PTR;
    };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

mydomain.com.keys

key myserver1.mydomain.com. {
    algorithm HMAC-SHA512;
    secret "blahblahblah";
};
key myserver2.mydomain.com. {
    algorithm HMAC-SHA512;
    secret "blahblahblah";
};

What's working right

The mydomain.com zone configuration correctly prevents servers from updating DNS entries that don't belong to them:

[root@myserver1 ~]# nsupdate -v -k Kmyserver1.mydomain.com.+165+55228.key
> server dns1.mydomain.com
> zone mydomain.com
> update add myserver2.mydomain.com 86400 A 10.9.10.50
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;mydomain.com.                        IN      SOA

;; UPDATE SECTION:
myserver2.mydomain.com. 86400   IN      A       10.9.10.50

> send
update failed: REFUSED

This enforcement is achieved through the key specified in the nsupdate command. Nsupdate pulls the secret out of the Kmyserver1.mydomain.com.+165+55228.key file and sends it to Bind. Bind finds the matching secret in mydomain.com.keys and validates the key name against the domain name you're trying to update.

What isn't working right

But the settings for the reverse zone (9.10.in-addr.arpa) don't seem to restrict updates based on the key name that was used to make the reverse DNS update.

[root@myserver1 ~]# nsupdate -v -k Kmyserver1.mydomain.com.+165+55228.key
> server dns1.mydomain.com
> zone 9.10.in-addr.arpa
> update add 50.10.9.10.in-addr.arpa 86400 IN PTR myserver2.mydomain.com
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;9.10.in-addr.arpa.             IN      SOA

;; UPDATE SECTION:
50.10.9.10.in-addr.arpa. 86400 IN     PTR     myserver2.mydomain.com.

> send
> ^C
[root@myserver1 ~]# nslookup 10.9.10.50
Server:         10.9.10.10
Address:        10.9.10.10#53

50.10.9.10.in-addr.arpa       name = myserver1.mydomain.com.
50.10.9.10.in-addr.arpa       name = myserver2.mydomain.com.

Additionally, I've tried configuring the reverse zone update-policy to only allow updates from specific addresses (rather than *), but this had no effect on the issue.

What I'm trying to do

I would like to configure the update-policy for the 9.10.in-addr.arpa zone so that the example above would be refused. I only want servers to be able to update reverse DNS for their own IP address and domain name. I've scoured various sites and can't seem to find any information on how, or if it's even possible, to configure the update-policy to achieve this.

The version of Bind I'm running is BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6

Syon
  • 111
  • 3
  • What do the `*` before and after tcp-self do exactly? – NickW Jan 12 '15 at 17:13
  • `* tcp-self *` essentially says, "any IP address (`*`) may update it's own IP (`tcp-self *`) entries". The `tcp-self` replaces the second `*` with whatever the first `*` matched. – Syon Jan 12 '15 at 17:23
  • Have you tried it without the *? `tcp-self - allow updates sent via TCP for which the updater's source IP address maps into a corresponding in-addr.arpa or ip6.arpa domain [subtree] being updated.` – NickW Jan 12 '15 at 17:40
  • Changed the policy to `grant 50.10.9.10.in-addr.arpa tcp-self 50.10.9.10.in-addr.arpa PTR;`, same result. The host is still able to add reverse DNS entries for hostnames that it does not own. – Syon Jan 12 '15 at 17:54
  • You seem to have the right sort of config, I wonder if RDNS just doesn't get that granular? It does seem strange though. – NickW Jan 13 '15 at 09:27
  • 1
    Note that the documentation for `tcp-self` update policy was [recently clarified:](https://gitlab.isc.org/isc-projects/bind9/commit/f03d68a7d0d2667db7782cef7fe0f835da62325c) it should be `grant * tcp-self "." PTR;` Apparently the non-obvious `"."` bit is important... – telcoM Nov 21 '18 at 11:02

0 Answers0