Lock specific records in dynamic zone...

Kevin Darcy kcd at daimlerchrysler.com
Sat Feb 25 00:05:57 UTC 2006


Daniel Costello wrote:

>Hello all,
>
>I have a fairly strange question.  In our DNS, we have our primary zone
>which up until now has been updated only by our DHCP server via TSIG
>key,etc.  We are looking at opening this up so that PC clients can update
>their own DNS.  Our only concern is that servers have their dns records in
>this same zone file and we don't want to chance they get overwritten, etc.
>
>My question:
>
>Is there a way to flag single records within a dynamically updated dns zone
>file making them not changeable in some way?  I know this kind of defeats
>the purpose of dynamic updates in the first place.
>
>I would assume the only alternative would be to create a separate zone file
>for each server, which would be fairly time consuming.
>
update-policy {
deny * name locked1.example.com.;
deny * name locked2.example.com.;
deny * name locked3.example.com.;
(etc.)
grant * wildcard *;
};

You can't mix update-policy and allow-update for the same zone, however, 
so any source-address-based restrictions you currently have wouldn't 
carry forward.

- Kevin




More information about the bind-users mailing list