Question Regarding Restricting Updates
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Sat May 19 07:27:42 UTC 2001
>
> I assume you're talking about forward domains, right? The answer for reverse
> domains is trivial.
>
> No, I can't think of any way to do this, short of delegating separate subzone
> s
> for each set of clients on each subnet (blech!).
>
> It would be nice if BIND had a more flexible ACL mechanism for Dynamic Update
> s.
> Yes, I know all about update-policy in BIND 9, but that's based on
> signer-identity in a TSIG or SIG(0) context, which doesn't help at all when
> dealing with Win2K clients. And yes, I know that authentication by source IP
> is
> weak. But it would be really handy to have an ACL like "a.b.c.d can only
> manipulate A records with an RDATA of a.b.c.d" or, more generally "clients in
> range X can only manipulate A records referring to themselves". This I think
> would help contain a lot of the "Win2K running amuck with Dynamic Update" cha
> os
> and tide us over until the "BIND implements GSS-TSIG" versus "Microsoft
> implements TSIG and/or SIG(0)" standoff is resolved.
Or even until Microsoft implements GSS-TSIG. W2K does not implement
GSS-TSIG, it implements something that is close to GSS-TSIG.
Mark
>
>
> - Kevin
>
> Smith, William E. (Bill), Jr. wrote:
>
> > Is it possible to restrict updates for a subnet within a particular domain
> > to within that subnet only? For example, if we have domain x.y.edu for
> > which subnets 10, 20, and 30 are part of, can you restrict dynamic updates
> > on subnet 30 to only machines within that subnet? Currently, I only see
> > being able to restrict updates within a domain to specific subnets but
> > anyone within those subnets being able to update any of the other subnet's
> > objects. The background behind this question is with regards to W2K and
> > their "feature" of being able to overwrite existing DNS entries if you have
> > DDNS configured on the box. This is according at least to the 4th Edition
> > DNS & BIND. We're trying to steer away from W2K DNS and stick with our BIN
> D
> > servers but want to allow dynamic updates to occur..to at least the
> > subdomains
> >
> > Thanks,
> >
> > Bill
>
>
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list