Regexp to match RR's
Chris Buxton
cbuxton at menandmice.com
Thu Apr 9 03:38:28 UTC 2009
On Apr 8, 2009, at 5:59 PM, Jonathan Petersson wrote:
>> On Apr 8, 2009, at 3:21 PM, Kevin Darcy wrote:
>>> I'm not a big fan of allowing users to enter Resource Records
>>> verbatim.
>>> Most users aren't that sophisticated, or, if they are, they can do
>>> their
>>> nsupdates directly, if they have been given access to the relevant
>>> TSIG key
>>> (how's that for a False Dilemma argument :-)
>>
>> Again, I have to disagree with that statement. Aside from automated
>> updates,
>> even for dynamic zones (zones that allow dynamic updates), our
>> customers
>> wouldn't want day-to-day updates being submitted by dynamic update
>> from user
>> to DNS server. The reason is that dynamic updates are anonymous -
>> there's no
>> audit trail. For compliance reasons, it's valuable to have such
>> updates
>> submitted through a tool that logs them (user, timestamp, actions,
>> user
>> comment), even if the tool then sends them on to the DNS server via
>> dynamic
>> updates.
>
> Not sure if we're talking about the same kind of dynamic update here,
> I'm referring to updates controller by update-policy in conjunction
> with TSIG keys. Each independent user can have his own key with
> applicable restrictions and it's logged accordingly in BIND's
> log-files.
OK, that's true. But you have to be very careful not to run into a
situation in which BIND stops logging - you must use a recent version
of BIND (9.3+) and configure log rolling settings (versions and size),
and then have a way to archive the older logs appropriately.
> Dynamic updates are invaluable when you have business units who wants
> to maintain control of their own zones but aren't allowed to
> manipulate data directly on the DNS master servers.
Men & Mice Suite also gives this ability, without having to require
users to understand nsupdate (or TSIG keys). It allows an
administrator to decide who can see which zones, and what they can do
with them once they see them. Users do not have to be given shell
access to the servers, or any access at all outside of Men & Mice Suite.
I'm not trying to argue that you have to switch to our solution to
have proper logging, privilege control, etc. I'm simply trying to
rebut Kevin's opinion that allowing users to enter RR's in standard
form is somehow bad, and using our solution as an example to back up
my opinion. With the right management software looking over their
shoulders, as it were, enforcing proper syntax, enforcing privileges,
and logging all activity, it can be fine.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list