Divided Permissions for DDNS?

Paul Vixie vixie at sa.vix.com
Thu Oct 7 16:24:25 UTC 2004

> Now I have a domain in which more than one source must have the rights to
> do dynamic updates via TSIG.  Is there a way to avoid collisions? To give
> the right-permissions in a way, that a record that is written by source_A
> not could be deleted by source_B?

no.  not in bind, and not in rfc2136.  source_A and source_B could choose to
cooperate, by adding a TXT RR or some other marker whose text must match the
creator's identity as a prerequisite of subsequent updates.  but DNS UPDATE
has no arbitration mechanism for non-cooperating updators.

i once thought that some rule of the form "a host ought to be allowed to
change the PTR for its own address" would be useful, but ip source address
authorization/authentication is unsafe in an anti-BCP38 world like ours.
perhaps a similar rule involving IPSEC will evolve over time.
Paul Vixie

More information about the bind-users mailing list