{"description": "Is there a mission-critical reason to enable the risky dynamic\nupdate functionality? If not, edit <tt>/etc/named.conf</tt>. For each zone\nspecification, correct the following directive if necessary:\n<pre>zone \"example.com \" IN {\n  allow-update { none; };\n  ...\n};</pre>", "rationale": "Dynamic updates allow remote servers to add, delete, or modify any\nentries in your zone file. Therefore, they should be considered highly risky,\nand disabled unless there is a very good reason for their use. If dynamic\nupdates must be allowed, IP-based ACLs are insufficient protection, since they\nare easily spoofed. Instead, use TSIG keys (see the previous section for an\nexample), and consider using the update-policy directive to restrict changes to\nonly the precise type of change needed.", "severity": "unknown", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable Dynamic Updates", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/dns/dns_server_protection/dns_server_disable_dynamic_updates/rule.yml", "template": null}