Question Regarding Restricting Updates

[Kevin Darcy]

I assume you're talking about forward domains, right? The answer for reverse
domains is trivial.

No, I can't think of any way to do this, short of delegating separate subzones
for each set of clients on each subnet (blech!).

It would be nice if BIND had a more flexible ACL mechanism for Dynamic Updates.
Yes, I know all about update-policy in BIND 9, but that's based on
signer-identity in a TSIG or SIG(0) context, which doesn't help at all when
dealing with Win2K clients. And yes, I know that authentication by source IP is
weak. But it would be really handy to have an ACL like "a.b.c.d can only
manipulate A records with an RDATA of a.b.c.d" or, more generally "clients in
range X can only manipulate A records referring to themselves". This I think
would help contain a lot of the "Win2K running amuck with Dynamic Update" chaos
and tide us over until the "BIND implements GSS-TSIG" versus "Microsoft
implements TSIG and/or SIG(0)" standoff is resolved.


- Kevin

Smith, William E. (Bill), Jr. wrote:

> Is it possible to restrict updates for a subnet within a particular domain
> to within that subnet only?  For example, if we have domain x.y.edu for
> which subnets 10, 20, and 30 are part of, can you restrict dynamic updates
> on subnet 30 to only machines within that subnet?   Currently, I only see
> being able to restrict updates within a domain to specific subnets but
> anyone within those subnets being able to update any of the other subnet's
> objects.  The background behind this question is with regards to W2K and
> their "feature" of being able to overwrite existing DNS entries if you have
> DDNS configured on the box.  This is according at least to the 4th Edition
> DNS & BIND.  We're trying to steer away from W2K DNS and stick with our BIND
> servers but want to allow dynamic updates to occur..to at least the
> subdomains
>
> Thanks,
>
> Bill