Metazones or Something Else?

Brian Cuttler brian at wadsworth.org
Wed Aug 6 13:18:57 UTC 2014 

Mark,

That looks like a nice format for it.

I'd still like to see named.conf mark some zones as
uneditable via rdnc, just in case I want to allow a
peer institution to add/remove zone where I'm the 
secondary, I want some mechanism to prevent them from
accidently deleting zones I'm actually the master of.

Perhaps as 'simple' as having different zones fall under
different management keys? Is that possible? My zones
protected by a differnt management key then the zones that
my colleges use?

Albany.edu may provide DNS secondary for RPI.edu, but they
certainly don't want RPI to edit the wrong zones file.

On Wed, Aug 06, 2014 at 09:35:00AM +1000, Mark Andrews wrote:
> 
> Personally I'd like to extend UPDATE
> 
> 	allow-addzone { acl; };	 
> 	allow-delzone { acl; };
> e.g.
> 	nsupdate
> 	new zone
> 	server addresss [port]
> 	key name:secret
> 	[masters <list>]
> 	[allow-query <acl>]
> 	[allow-transfer <acl>]
> 	[allow-update <acl>]
> 	[conf text]
> 	[conf text]
> 	[conf text]
> 	[zone data for master]
> 	send
> 
> 	nsupdate
> 	del zone
> 	key name:secret
> 	send
> 
> Where "new" is a EDNS options which optionally has master addresses / names
> allow-query is a EDNS acl option of subtype query [default any; if missing]
> allow-transfer is a EDNS acl option of subtype transfer [default any; if missing]
> allow-update is a EDNS acl option of subtype update [default none; if missing]
> conf is a EDNS which contains other configuration data for a zone
> 
> Mark
> 
> In message <20140805164053.GA11778 at fantomas.sk>, Matus UHLAR - fantomas writes:
> > On 05.08.14 11:43, Brian Cuttler wrote:
> > >The slave trusts the master, for zone files, but creating
> > >a new zone?
> > 
> > hmmm, when a meta-zone is signed by trusted key, why not? :-)
> > using notifies and IXFR would be even more great...
> > 
> > -- 
> > Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> > Warning: I wish NOT to receive e-mail advertising to this address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> > You have the right to remain silent. Anything you say will be misquoted,
> > then used against you. 
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> > 
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
---
   Brian R Cuttler                 brian.cuttler at wadsworth.org
   Computer Systems Support        (v) 518 486-1697
   Wadsworth Center                (f) 518 473-6384
   NYS Department of Health        Help Desk 518 473-0773

More information about the bind-users mailing list