Can update-policy accept IP addresses ?

Mark Andrews marka at isc.org
Wed May 24 04:44:58 UTC 2023 


> On 24 May 2023, at 13:59, Patrick Rynhart <patrick at rynhart.co.nz> wrote:
> 
> Currently we have (for our Master zone) a list of IPs that can update
> our DNS master using the allow-update statement:
> 
> zone "redacted.ac.nz" {
>   type master;
>   allow-update {
>   ::1;
>   127.0.0.1;
>   131.123.103.2;
>   131.123.88.3;
>   ...
> }
> 
> We are wanting to transition to the more modern update-policy
> statement (because we want to make use of keys), but as a transition
> step we would like our existing whitelisted IPs to be included.  We
> have tried the following:
> 
> zone "redacted.ac.nz" {
>   type master;
>   update-policy {
>     grant ::1 zonesub ANY;
>     grant 127.0.0.1 zonesub ANY;
>     grant 131.123.103.2 zonesub ANY;
>     grant 131.123.88.3 zonesub ANY;
>     ...
>   }
> }
> 
> But all operations from the whitelisted IPs result in the following:
> 
> update 'assey.ac.nz/IN' denied
> 
> If we roll back to the "allow-update" statement block, everything
> starts working again.
> 
> Could someone please advise whether update-policy allows IPs (there
> are some sources on the net that suggest it should be able to accept
> IPs and/or FQDN addresses - for example
> http://pig.made-it.com/ddns.html) ?

No.  They are not accepted.  tcp-self and 6to4-self are the closest to
using IP addresses and allow for updating of only individual reverse names
with requests sent over TCP.  They are intend to allow hosts to add PTR
records for themselves without having to establish a prior trust relationship.

Just add keys to the allow-update acl as you transition services over then
once everything is working using TSIG or SIG(0) move to update-policy.  Unless
you need the finer grain controls allow-update is equally as secure as
update-policy.

allow-update {
	key key1;
	key key2;
	127.0.0.2;
	…
};

> If the statement does allow it, how can we go about troubleshooting ?
> We have already tried starting named in the foreground with -d 10, but
> don't get anything useful (just update 'assey.ac.nz/IN' denied)
> 
> With Thanks in Advance
> 
> Patrick
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list