Is it possible to restrict TSIG updates to hosts with a specific prefix in BIND9

Question

I have several windows systems in a Linux network with BIND9 DNS as well as an active directory domain. We do not use the windows domain controllers for DNS. In order to ensure all of the systems are registered in DNS, I have deployed a script to each system that uses the Windows nsupdate binary to register the Windows systems in BIND. This works well for desktops and laptops and triggers on network state change.

The concern here is that if the TSIG key is compromised on these workstations, any internal record could be updated or deleted. I've mitigated this by setting the script and keyfiles to be readable by the SYSTEM account only and the systems are all FDE with a boot pin.

Host names in the organization follow a repeatable convention, and workstations always start with W. Is there a way to restrict the host-key in BIND9 to only update or add hosts with this prefix?

I would like to avoid creating another zone to isolate the workstation tsig keys from the rest of the account services but this will be my next option.

https://github.com/ACiDGRiM/UsefulScripts/blob/master/Update-DNS.ps1 — ACiD GRiM, Dec 06 '19 at 05:13

score 2 · Answer 1 · answered Dec 06 '19 at 06:46

You can set up fine-grained ACL control of which key can update which records.

This is achieved with update-policy statement instead of allow-update, see BIND manual.

update-policy { grant KEYNAME name RECORDNAME; ... };

the key KEYNAME should be installed on the machine which updates RECORDNAME. This is even more fine-grained behaviour that you requested. You can also use wildcards, i.e. W* in the place of RECORDNAME, and that should work exactly like you specified. You can also restrict updates further to only allow certain DNS RR types to be updated.

A traditional allow-update behaviour is achieved with zonesub rule type.

All of this is often configured with TSIG/GSS instead of PSK, but this requires Kerberos deployment. BIND even can use authentication that Windows built-in DNS updater provides, which uses their machine domain accounts (which uses the same mechanism, because AD is Kerberos-based anyway).

Perfect. I will test tonight and accept the answer. Thank you! — ACiD GRiM, Dec 06 '19 at 19:51

Is it possible to restrict TSIG updates to hosts with a specific prefix in BIND9

1 Answers1