#1831 use the -v flag with nsupdate to force TCP transmission for better security
Closed: Fixed None Opened 6 years ago by jhrozek.

This RFE came up today during a discussion with Petr Spacek.

If the -v flag is used when nsupdate is called to update records on the IPA server, then TCP connection is forced. If TCP is used, then the Bind plugin can verify the connection and disallow updates that would potentially overwrite other records.


One important note -- apparently Bind's authorization mechanism stops on first match so it's not possible to use TCP verification with GSS-TSIG.

Related to dynamic DNS updates against AD.

milestone: NEEDS_TRIAGE => SSSD 1.10 beta
rhbz: => 0
type: defect => task

Proposal for enhancement described in https://www.redhat.com/archives/freeipa-devel/2013-March/msg00006.html was sent to ISC (via e-mail bind-suggest@isc.org).

IMHO 'do update over TCP' should be configurable option. User may want to use plain UDP updates with other servers than BIND or AD.

Also, we could think about fallback to UDP. Fallback could be handy if user have improperly configured firewall etc.

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
review: => 0
status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.

Metadata