DDNS - limitation and excluding updates from certain networks

Grant Taylor gtaylor at tnetconsulting.net
Mon Dec 25 18:38:31 UTC 2017

On 12/25/2017 10:23 AM, MAYER Hans wrote:
> Hi Grant,

Hi Hans,

> Many thanks for the detailed information.

You're welcome.

> "update-policy” is new for me and maybe the solution.
> I have to dig deeper into the documentation.

It's relatively new for me too.  I think I became aware of it through 
one of the people I follow on Twitter.

>> 		update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; };
> What does it say ?

My understanding is that <something>.fx.movie.edu is given permission to 
update it's own A record.

I'd have to go back and re-read the documentation (Zytrax's page is 
good) to decode it further.

> So far I have seen the client is only allowed to update his own record. 
>  That means if the client has a new IP it can update the IP address.

That's my understanding as well.

> Does it mean the client is only allowed to update within the same network range ?

I don't think the update-policy statement above cares where the client 
is located.  Remember that we're talking about the A record in the 
fx.movie.edu zone.

> It seems I am missing some important information. Maybe I am blind,  but 
> how is the client name verified ?

The only times that I've used this was in combination with a TSIG key.

So that may be how the client is authenticating who it is to the DNS server.

> What happens if a client has for example the name “www” ?

I can't recall at the moment what the identifying factor is.  It may 
very well be embedded in the TSIG key.

> ( Assume we have already a record with name “www” and IP but in a 
> different network than the client )


> Kind regards


Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171225/5d1a6a61/attachment.bin>

More information about the bind-users mailing list