DDNS - limitation and excluding updates from certain networks
Grant Taylor
gtaylor at tnetconsulting.net
Wed Dec 20 17:50:28 UTC 2017
On 12/20/2017 10:40 AM, Grant Taylor via bind-users wrote:
> I don't remember the specifics, but there is a way built into BIND to do
> what you are wanting.
Well, my GoogleFu seems to working today:
Link - DNS Dynamic Update (DNS and BIND, 4th Edition)
- https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
> I think there's an ACL configuration where you can configure that DDNS
> clients are only able to update the records that they own. - I think
> ownership is related to the connecting IP.
"update-policy" seems to be what you want.
> I do remember that when I tested this, it was trivial to set up and one
> configuration entry seemed to apply multiple DDNS clients.
Per the linked page, something like the following allows all machines in
the fx.movie.edu zone to update their own records.
zone "fx.movie.edu" {
type master;
file "db.fx.movie.edu";
update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; };
};
Short of this, the other hack that I had considered was to use a CNAME
to a child zone that the client was allowed to update. I.e.
example.fx.movie.edu. CNAME example.ddns.fx.movie.edu, which example had
full control over. - But this scheme proved to be unnecessary with the
"update-policy { grant … self … };" technique above.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171220/99b7936b/attachment.bin>
More information about the bind-users
mailing list