Regexp to match RR's

Chris Buxton cbuxton at menandmice.com
Thu Apr 9 03:38:28 UTC 2009


On Apr 8, 2009, at 5:59 PM, Jonathan Petersson wrote:
>> On Apr 8, 2009, at 3:21 PM, Kevin Darcy wrote:
>>> I'm not a big fan of allowing users to enter Resource Records  
>>> verbatim.
>>> Most users aren't that sophisticated, or, if they are, they can do  
>>> their
>>> nsupdates directly, if they have been given access to the relevant  
>>> TSIG key
>>> (how's that for a False Dilemma argument :-)
>>
>> Again, I have to disagree with that statement. Aside from automated  
>> updates,
>> even for dynamic zones (zones that allow dynamic updates), our  
>> customers
>> wouldn't want day-to-day updates being submitted by dynamic update  
>> from user
>> to DNS server. The reason is that dynamic updates are anonymous -  
>> there's no
>> audit trail. For compliance reasons, it's valuable to have such  
>> updates
>> submitted through a tool that logs them (user, timestamp, actions,  
>> user
>> comment), even if the tool then sends them on to the DNS server via  
>> dynamic
>> updates.
>
> Not sure if we're talking about the same kind of dynamic update here,
> I'm referring to updates controller by update-policy in conjunction
> with TSIG keys. Each independent user can have his own key with
> applicable restrictions and it's logged accordingly in BIND's
> log-files.

OK, that's true. But you have to be very careful not to run into a  
situation in which BIND stops logging - you must use a recent version  
of BIND (9.3+) and configure log rolling settings (versions and size),  
and then have a way to archive the older logs appropriately.

> Dynamic updates are invaluable when you have business units who wants
> to maintain control of their own zones but aren't allowed to
> manipulate data directly on the DNS master servers.

Men & Mice Suite also gives this ability, without having to require  
users to understand nsupdate (or TSIG keys). It allows an  
administrator to decide who can see which zones, and what they can do  
with them once they see them. Users do not have to be given shell  
access to the servers, or any access at all outside of Men & Mice Suite.

I'm not trying to argue that you have to switch to our solution to  
have proper logging, privilege control, etc. I'm simply trying to  
rebut Kevin's opinion that allowing users to enter RR's in standard  
form is somehow bad, and using our solution as an example to back up  
my opinion. With the right management software looking over their  
shoulders, as it were, enforcing proper syntax, enforcing privileges,  
and logging all activity, it can be fine.

Chris Buxton
Professional Services
Men & Mice




More information about the bind-users mailing list