update-policy by source IP
Bernhard Schmidt
berni at birkenwald.de
Fri Jul 2 15:05:58 UTC 2010
Hi,
running BIND 9.7.1, I have a few untouchable legacy applications that
send (and can only send) totally unsigned dynamic DNS updates. Up to now
I used
allow-update { ip.add.re.ss };
in the zone. Not really a security risk (the updates are authenticated
outside of BIND using IPsec), but ugly nevertheless.
I would like to migrate to update-policy now, which is far superior. The
problem is, I cannot mix allow-update and update-policy in a zone, and
there does not seem to be a way to allow updates by source IP in
update-policy. Hard to migrate gradually in this scenario. I would love
to have something like
update-policy { grant ip.add.re.ss wildcard *; };
Does anyone have a decent idea how to do this? Last resort is to put a
BIND in between the update generator and the master that allows updates
by IP and forwards them TSIG-signed, but that's kind of ugly as well. I
could also list TSIG/SIG(0) keys in allow-update I guess, but part of
the plan is to give additional DDNS access to new users who are
definitely not allowed to edit the entire zone.
Bernhard
More information about the bind-users
mailing list