Hi Grant,
Many thanks for the detailed information.
"update-policy” is new for me and maybe the solution.
I have to dig deeper into the documentation.
> update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; };
What does it say ?
So far I have seen the client is only allowed to update his own record. That
means if the client has a new IP it can update the IP address.
Does it mean the client is only allowed to update within the same network range
?
It seems I am missing some important information. Maybe I am blind, but how is
the client name verified ?
What happens if a client has for example the name “www” ?
( Assume we have already a record with name “www” and IP but in a different
network than the client )
Kind regards
Hans
> On 20.12.2017, at 18:50, Grant Taylor via bind-users
> <[email protected]> wrote:
>
> On 12/20/2017 10:40 AM, Grant Taylor via bind-users wrote:
>> I don't remember the specifics, but there is a way built into BIND to do
>> what you are wanting.
>
> Well, my GoogleFu seems to working today:
>
> Link - DNS Dynamic Update (DNS and BIND, 4th Edition)
> - https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>
>> I think there's an ACL configuration where you can configure that DDNS
>> clients are only able to update the records that they own. - I think
>> ownership is related to the connecting IP.
>
> "update-policy" seems to be what you want.
>
>> I do remember that when I tested this, it was trivial to set up and one
>> configuration entry seemed to apply multiple DDNS clients.
>
> Per the linked page, something like the following allows all machines in the
> fx.movie.edu zone to update their own records.
>
> zone "fx.movie.edu" {
> type master;
> file "db.fx.movie.edu";
> update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; };
> };
>
> Short of this, the other hack that I had considered was to use a CNAME to a
> child zone that the client was allowed to update. I.e. example.fx.movie.edu.
> CNAME example.ddns.fx.movie.edu, which example had full control over. - But
> this scheme proved to be unnecessary with the "update-policy { grant … self …
> };" technique above.
>
>
>
> --
> Grant. . . .
> unix || die
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
