Question Regarding Restricting Updates

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Sat May 19 07:27:42 UTC 2001 

> 
> I assume you're talking about forward domains, right? The answer for reverse
> domains is trivial.
> 
> No, I can't think of any way to do this, short of delegating separate subzone
> s
> for each set of clients on each subnet (blech!).
> 
> It would be nice if BIND had a more flexible ACL mechanism for Dynamic Update
> s.
> Yes, I know all about update-policy in BIND 9, but that's based on
> signer-identity in a TSIG or SIG(0) context, which doesn't help at all when
> dealing with Win2K clients. And yes, I know that authentication by source IP 
> is
> weak. But it would be really handy to have an ACL like "a.b.c.d can only
> manipulate A records with an RDATA of a.b.c.d" or, more generally "clients in
> range X can only manipulate A records referring to themselves". This I think
> would help contain a lot of the "Win2K running amuck with Dynamic Update" cha
> os
> and tide us over until the "BIND implements GSS-TSIG" versus "Microsoft
> implements TSIG and/or SIG(0)" standoff is resolved.

	Or even until Microsoft implements GSS-TSIG.  W2K does not implement
	GSS-TSIG, it implements something that is close to GSS-TSIG.

	Mark
> 
> 
> - Kevin
> 
> Smith, William E. (Bill), Jr. wrote:
> 
> > Is it possible to restrict updates for a subnet within a particular domain
> > to within that subnet only?  For example, if we have domain x.y.edu for
> > which subnets 10, 20, and 30 are part of, can you restrict dynamic updates
> > on subnet 30 to only machines within that subnet?   Currently, I only see
> > being able to restrict updates within a domain to specific subnets but
> > anyone within those subnets being able to update any of the other subnet's
> > objects.  The background behind this question is with regards to W2K and
> > their "feature" of being able to overwrite existing DNS entries if you have
> > DDNS configured on the box.  This is according at least to the 4th Edition
> > DNS & BIND.  We're trying to steer away from W2K DNS and stick with our BIN
> D
> > servers but want to allow dynamic updates to occur..to at least the
> > subdomains
> >
> > Thanks,
> >
> > Bill
> 
> 
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list