DDNS - limitation and excluding updates from certain networks
Grant Taylor
gtaylor at tnetconsulting.net
Mon Dec 25 18:38:31 UTC 2017
On 12/25/2017 10:23 AM, MAYER Hans wrote:
> Hi Grant,
Hi Hans,
> Many thanks for the detailed information.
You're welcome.
> "update-policy” is new for me and maybe the solution.
> I have to dig deeper into the documentation.
It's relatively new for me too. I think I became aware of it through
one of the people I follow on Twitter.
>> update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; };
>
> What does it say ?
My understanding is that <something>.fx.movie.edu is given permission to
update it's own A record.
I'd have to go back and re-read the documentation (Zytrax's page is
good) to decode it further.
> So far I have seen the client is only allowed to update his own record.
> That means if the client has a new IP it can update the IP address.
That's my understanding as well.
> Does it mean the client is only allowed to update within the same network range ?
I don't think the update-policy statement above cares where the client
is located. Remember that we're talking about the A record in the
fx.movie.edu zone.
> It seems I am missing some important information. Maybe I am blind, but
> how is the client name verified ?
The only times that I've used this was in combination with a TSIG key.
So that may be how the client is authenticating who it is to the DNS server.
> What happens if a client has for example the name “www” ?
I can't recall at the moment what the identifying factor is. It may
very well be embedded in the TSIG key.
> ( Assume we have already a record with name “www” and IP but in a
> different network than the client )
*nod*
> Kind regards
Likewise.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171225/5d1a6a61/attachment.bin>
More information about the bind-users
mailing list