On Oct 29, 2008, at 10:59 AM, David Forrest wrote:
> Currently /etc/update-keys has mode 600, which, because dhcpd runs
> as root
> appears to do the same as using a common group. I am just
> considering what
> havoc could result from a hacked named by allowing the rogue user
> named to
> read the secret and poison an internal view zone file. I do not use
> nsupdate on my external view zones as they haven't changed in years
> and I
> can put up with the [rndc freeze; vi ; rndc thaw] procedure.
> I'm
> thinking the hacker could not do much as user named with nsupdate
> anyway
> but just asking, "Is it wise?"

Your name server needs to be able to read the keys. Period. You can't
avoid this, other than not using keys (not recommended).

It's true that an attacker who broke in through the named process
could then read the keys and perform mischief thereafter with your
zone data. The only thing you can do to mitigate this beyond running a
current version of named is to try to stop someone from breaking in
through named. That means using hardening tools such as an intrusion
prevention system (IPS), a mandatory access control system (MAC), and
hardening compiler tools when building named (including enabling PIC
in the ./configure step).

However, named itself is pretty secure, and there haven't been many
code-execution exploits in recent years. That isn't to say one won't
be discovered and exploited before you have a chance to update, only
that it isn't a common occurrence.

Chris Buxton
Professional Services
Men & Mice