On 3/9/19 7:21 PM, Mark Andrews wrote:
First of all, firewall vendors are changing their views on DNS. Lots of default blockage have gone and UPDATE is no more dangerous than QUERY. Checkpoint have removed their default QUERY blocks. Similarly Juniper have also remover their default blocks. If there are blocks on UPDATE they can similarly be removed. Nameservers that support UPDATE don’t need external protection. UPDATE has had fine grain authentication for 15+ years since the invention of TCP, TSIG and SIG(0). See update-policy in BIND for a example. TCP is still hard to spoof and is useful for some updates especially in the reverse tree.
Yes, but there are zillions of SOHO routers deployed that still implement such blocks in firmware, are unlikely to be updated, and will be replaced only slowly.
It's been awhile, but last time I looked, I couldn't find a single DNS registry that implemented UPDATE. For better or worse, many organizations (some large ones) use godaddy or similar services for their public-facing DNS.
Keith