Modify BIND ACLs on-the-fly?

Jan-Piet Mens jpmens.dns at
Tue Nov 22 12:42:44 UTC 2011


I'm looking at a BIND installation with a largish number of views, each
of which allow recursion and contain a couple of RPZ zones. Each view
has a `match-clients{}' option limiting access to the view to a very
small number of addresses. (Typically the single address of a client
with a dynamic IP address.)

When the IP of the client changes (reported and handled out-of-band),
the address_match_list in the view must be modified, which I can do with
includes & scripting-magic followed by `rndc reconfig', but can I do
this more elegantly?

I was thinking along the lines of `rndc addzone', but that adds a zone
to an existing view only.

A fresh study of the latest ARM reveals nothing that I could use to
dynamically modify an ACL to place into match-clients{}, unless I've
overlooked something.

<dreaming mode="on">

Maybe I'm dreaming along the lines of a BIND zone updatable via DDNS,
that I can use to configure ACL content ... ;-)

	zone "acl-list" in {
		type master;
		allow-query { none; };
		file "acl-list.db";
		update-policy local;

	view j1 in {
		match-clients { sales.acl-list. ; };

	$TTL 30
	@ SOA acl-list. dev.null. 1 3600 1800 604800 30
		  NS localhost.
	sales	IN A
		IN A
		IN A


Any ideas or suggestions?



More information about the bind-users mailing list