Can update-policy accept IP addresses ?
Patrick Rynhart
patrick at rynhart.co.nz
Wed May 24 03:59:56 UTC 2023
Currently we have (for our Master zone) a list of IPs that can update
our DNS master using the allow-update statement:
zone "redacted.ac.nz" {
type master;
allow-update {
::1;
127.0.0.1;
131.123.103.2;
131.123.88.3;
...
}
We are wanting to transition to the more modern update-policy
statement (because we want to make use of keys), but as a transition
step we would like our existing whitelisted IPs to be included. We
have tried the following:
zone "redacted.ac.nz" {
type master;
update-policy {
grant ::1 zonesub ANY;
grant 127.0.0.1 zonesub ANY;
grant 131.123.103.2 zonesub ANY;
grant 131.123.88.3 zonesub ANY;
...
}
}
But all operations from the whitelisted IPs result in the following:
update 'assey.ac.nz/IN' denied
If we roll back to the "allow-update" statement block, everything
starts working again.
Could someone please advise whether update-policy allows IPs (there
are some sources on the net that suggest it should be able to accept
IPs and/or FQDN addresses - for example
http://pig.made-it.com/ddns.html) ?
If the statement does allow it, how can we go about troubleshooting ?
We have already tried starting named in the foreground with -d 10, but
don't get anything useful (just update 'assey.ac.nz/IN' denied)
With Thanks in Advance
Patrick
More information about the bind-users
mailing list