| DAC is based on the notion that individual users are owners of objects and , therefore, have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user controlled file permissions.
The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able create and modify resource records, and name servers should only accept updates from authoritative master servers for the relevant zones. Integrity is best assured through authentication and access control features within the name server software and the file system the name server resides on. In order to protect the zone files and configuration data, which should only be accessed by the name service or an administrator, access controls need to be implemented on all files. The owner of those files should have the ability to deny or allow access to those objects. Lack of a stringent access control policy places the DNS infrastructure at risk to malicious persons and attackers, in addition to potential denial of service to network resources. Including or excluding access, down to the granularity of a single user, means providing the capability to either allow or deny access to objects (e.g., files, folders) on a per single user basis. This is necessary to avoid a user having privileges beyond their scope of duties and allows the granularity to build tightened access controls to objects. If all users and objects had the same access levels, the DNS infrastructure could potentially be compromised if an attacker gained access to the system. |
