Divided Permissions for DDNS?
Paul Vixie
vixie at sa.vix.com
Thu Oct 7 16:24:25 UTC 2004
> Now I have a domain in which more than one source must have the rights to
> do dynamic updates via TSIG. Is there a way to avoid collisions? To give
> the right-permissions in a way, that a record that is written by source_A
> not could be deleted by source_B?
no. not in bind, and not in rfc2136. source_A and source_B could choose to
cooperate, by adding a TXT RR or some other marker whose text must match the
creator's identity as a prerequisite of subsequent updates. but DNS UPDATE
has no arbitration mechanism for non-cooperating updators.
i once thought that some rule of the form "a host ought to be allowed to
change the PTR for its own address" would be useful, but ip source address
authorization/authentication is unsafe in an anti-BCP38 world like ours.
perhaps a similar rule involving IPSEC will evolve over time.
--
Paul Vixie
More information about the bind-users
mailing list