Lock specific records in dynamic zone...
Kevin Darcy
kcd at daimlerchrysler.com
Sat Feb 25 00:05:57 UTC 2006
Daniel Costello wrote:
>Hello all,
>
>I have a fairly strange question. In our DNS, we have our primary zone
>which up until now has been updated only by our DHCP server via TSIG
>key,etc. We are looking at opening this up so that PC clients can update
>their own DNS. Our only concern is that servers have their dns records in
>this same zone file and we don't want to chance they get overwritten, etc.
>
>My question:
>
>Is there a way to flag single records within a dynamically updated dns zone
>file making them not changeable in some way? I know this kind of defeats
>the purpose of dynamic updates in the first place.
>
>I would assume the only alternative would be to create a separate zone file
>for each server, which would be fairly time consuming.
>
update-policy {
deny * name locked1.example.com.;
deny * name locked2.example.com.;
deny * name locked3.example.com.;
(etc.)
grant * wildcard *;
};
You can't mix update-policy and allow-update for the same zone, however,
so any source-address-based restrictions you currently have wouldn't
carry forward.
- Kevin
More information about the bind-users
mailing list