update-policy restricting to a subnet

Bill Larson wllarso at swcp.com
Mon Oct 5 16:22:14 UTC 2009 

Not to the list but just to you.

I could imagine a system having multiple views defined with only one view 
that allows DDNS updates.  The other views would be "read-only".  This 
wouldn't be pretty, but ...

In this one view that allows DDNS, you wouldn't be restricted to ONLY "A" 
records.  Users would still be able to set up other records too using DDNS.

I have seen this were you have an internal network that you want to allow 
the users, client machines, to update the DNS information using DDNS.  But 
if they carry their laptop home and connect to the Internet, they will still 
try and send a DDNS update to the DNS server but it is rejected by the 
server because it is not coming from an internal network address.  
(Define "subnet" and "internal network" any way you want.)

Couldn't you have your DDNS updates come from your DHCP server rather than 
directly from the client machines?  If you can "trust" your DHCP server to 
only do what you want, then you wouldn't have to worry about anything else 
updating your data.

For example, if you were trying to manage the "example.com" domain and you 
were wanting to allow DDNS to create a record for "x.example.com" with the 
address of 192.168.1.10, then the DHCP server for the 192.168.1.0 network 
could be explicitly allowed to update the DNS data, but the clients on the 
network wouldn't have to be allowed.  And, a client on the 192.168.2.0 
network still wouldn't be able to update because they did not get their 
address from the DHCP server on the 192.168.1.0 network.

Bill Larson

Nicholas F Miller <Nicholas.Miller at Colorado.EDU> said:

> I take it this is not possible using update-policy?
> _________________________________________________________
> Nicholas Miller, ITS, University of Colorado at Boulder
> 
> 
> 
> On Sep 30, 2009, at 11:29 AM, Nicholas F Miller wrote:
> 
> > Is it possible to restrict user machines to only be able to update  
> > their 'A' records on a specific subnet? We would like to allow DDNS  
> > but restrict it to specific subnets and only allow the machines to  
> > update their 'A' records. Allow-updates will not get us the record  
> > restrictions we would need to implement this and it doesn't appear  
> > that update-policy has any understanding of subnet scoping.
> > _________________________________________________________
> > Nicholas Miller, ITS, University of Colorado at Boulder
> >
> >
> >
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 



--

More information about the bind-users mailing list