On Tue, 18 Jun 2002, Bryan Halvorson wrote:
> Bind 8 and 9 support dynamic updates and I think there's a version of
> bind 9 that will run on NT. If this is the case then NT users can just 
> run nsupdate which will talk directly from the client system to the
> nameserver and has good security built in. I'm doing this for several 
> people with cable modems on my nameservers. 

 Bind 8 supports dynamic updates?  I wasn't aware of that.  Thanks.

> For other people it'd be fairly trivial to write a cgi script that can
> run on a web server somewhere and can interface with nsupdate. Wget 
> runs on windows and can be used to talk to the cgi script. I know that 
> the latest version of wget talks https but I'm not sure about the 
> windows version I've got. If it does that would take care of most of the
> security problems.

 That's about what I had in mind, yes.  So far all the CGI script I have 
does is edit some zone files directly (and reload the zone), but there's 
no reason it couldn't be a midpoint between people without nsupdate, and 
the DNS server.  Carl's machine might be a good staging area for that 
(thanks Carl!).
 Anyway, some sort of password authentication could keep troublemakers 
from changing peoples' DNS bindings.  Maybe crypt()ed on the client side, 
using the hostname as the seed?  That or using https.  Something like 
that.

> I can provide help with getting dynamic updates working in bind and with
> the somewhat strange syntax of nsupdate if someone would like it.

 I'll get around to it eventually; Nate Carlson posted a mini-howto on the 
TCLUG list a couple weeks ago.  (See: 
http://archives2.real-time.com/pipermail/tclug-list/2002-June/050969.html)
 The one thing I learned from someone else who implemented it is to make 
sure that the clocks on both the client and server are fairly close; NTP 
comes in handy here.

 Just throwing out ideas (I don't need 'em).

     Jima