On 12/20/2017 10:40 AM, Grant Taylor via bind-users wrote:
I don't remember the specifics, but there is a way built into BIND to do what you are wanting.
Well, my GoogleFu seems to working today: Link - DNS Dynamic Update (DNS and BIND, 4th Edition) - https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
I think there's an ACL configuration where you can configure that DDNS clients are only able to update the records that they own. - I think ownership is related to the connecting IP.
"update-policy" seems to be what you want.
I do remember that when I tested this, it was trivial to set up and one configuration entry seemed to apply multiple DDNS clients.
Per the linked page, something like the following allows all machines in the fx.movie.edu zone to update their own records.
zone "fx.movie.edu" {
type master;
file "db.fx.movie.edu";
update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; };
};
Short of this, the other hack that I had considered was to use a CNAME
to a child zone that the client was allowed to update. I.e.
example.fx.movie.edu. CNAME example.ddns.fx.movie.edu, which example had
full control over. - But this scheme proved to be unnecessary with the
"update-policy { grant … self … };" technique above.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
