Modify BIND ACLs on-the-fly?
Jan-Piet Mens
jpmens.dns at gmail.com
Tue Nov 22 12:42:44 UTC 2011
Hello,
I'm looking at a BIND installation with a largish number of views, each
of which allow recursion and contain a couple of RPZ zones. Each view
has a `match-clients{}' option limiting access to the view to a very
small number of addresses. (Typically the single address of a client
with a dynamic IP address.)
When the IP of the client changes (reported and handled out-of-band),
the address_match_list in the view must be modified, which I can do with
includes & scripting-magic followed by `rndc reconfig', but can I do
this more elegantly?
I was thinking along the lines of `rndc addzone', but that adds a zone
to an existing view only.
A fresh study of the latest ARM reveals nothing that I could use to
dynamically modify an ACL to place into match-clients{}, unless I've
overlooked something.
<dreaming mode="on">
Maybe I'm dreaming along the lines of a BIND zone updatable via DDNS,
that I can use to configure ACL content ... ;-)
zone "acl-list" in {
type master;
allow-query { none; };
file "acl-list.db";
update-policy local;
};
view j1 in {
match-clients { sales.acl-list. ; };
};
...
$TTL 30
@ SOA acl-list. dev.null. 1 3600 1800 604800 30
NS localhost.
sales IN A 192.168.1.2
IN A 192.168.83.45
IN A 10.1.1.98
</dreaming>
Any ideas or suggestions?
Regards,
-JP
More information about the bind-users
mailing list