#1831 use the -v flag with nsupdate to force TCP transmission for better security
Closed: Fixed None Opened 11 years ago by jhrozek.

This RFE came up today during a discussion with Petr Spacek.

If the -v flag is used when nsupdate is called to update records on the IPA server, then TCP connection is forced. If TCP is used, then the Bind plugin can verify the connection and disallow updates that would potentially overwrite other records.


One important note -- apparently Bind's authorization mechanism stops on first match so it's not possible to use TCP verification with GSS-TSIG.

Related to dynamic DNS updates against AD.

milestone: NEEDS_TRIAGE => SSSD 1.10 beta
rhbz: => 0
type: defect => task

Proposal for enhancement described in https://www.redhat.com/archives/freeipa-devel/2013-March/msg00006.html was sent to ISC (via e-mail bind-suggest@isc.org).

IMHO 'do update over TCP' should be configurable option. User may want to use plain UDP updates with other servers than BIND or AD.

Also, we could think about fallback to UDP. Fallback could be handy if user have improperly configured firewall etc.

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
review: => 0
status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2873

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata