Use external. You can create any rule you can think of with that. > On 14 Feb 2023, at 20:29, André Steden <b...@steden.de> wrote: > > I want an external server to be able to update all the hosts (A) records > inside the example.de domain. > But i don't want that the external server can create subdomain entries inside > the example.de domain. > > Is this possible? What grant/deny rule must i use? > > -André > > Am 13.02.2023 um 23:33 schrieb Mark Andrews: >> Step back and tell us what you are attempting to achieve. >> >> e.g. I want my hosts to be able to update their address records. >> >> grant admin-key subzone ANY; >> grant * self . A AAAA; >> >> and use SIG(0) to sign the updates. The admin adds the public KEY record for >> the machine >> using ‘admin-key’. >> >> You generate a KEY record on the machine >> >> % dnssec-keygen -T KEY -a RSASHA256 -n host -L 3600 ns1.example.com >> Generating key >> pair....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+.+...........+...+...+....+.....+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> >> ...+...+.+.....+...+..........+........+.......+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.........+......+.....................+.+..+......+.+...........+.............+..+...+....+........+.......+........+...+.+......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+.........+.+.........+.....+...+..........+.........+..............+.+.........+..+..........+.........+...+..+................+..+...+....+.....+.............+............+.....+.+...+..............+.+.....+.+......+..+............+......+............+.+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> Kns1.example.com.+008+18976 >> % >> >> which produces the public key >> >> % cat Kns1.example.com.+008+18976.key >> ns1.example.com. 3600 IN KEY 512 3 8 >> AwEAAaxeX1NDwHGxgBKNb/D9+JrwbRnoM+OIe/Y/f5X7gmXdiZ9xOjWM >> alGauUtKzx1VvX2QyDUMs8zimoK4L+MM+ghEsvPjUBAnBN+p3Urq+Ae/ >> mxCmNMzwm3At18MS4TwmzJFFOOZCyQ2eIp0DiW8G+JZTr/3tYmZmPvTO >> l4OSAZ3DRPQlwro2QH2gp2r3nIEdPbY4x5//H++5NSns6N2mAGo3fkA2 >> b6EpINrQJ40NPIOq8fvWGs+oiGFl83xsCWpbbezjMebdvMFDTaEZBqPS >> vtqQCBfT7RRqIUebT6fKU3ZQh55Bah/5LJDIK3VDy05iAVVby/lCZ2YU IgGQm6NU1bM= >> % >> >> and you add to the zone like this >> >> % awk '{print “update add", $0 } END { print "send" }’ >> Kns1.example.com.+008+18976.key | nsupdate -k admin-key.key >> % >> >> Add ‘BEGIN { print “zone <parent zone name>” }’ to the awk command if you >> are updating glue address records this way. >> >> Then the host it updates its address records using the private part of the >> key pair >> >> % nsupdate -k Kns1.example.com.+008+18976.private >> update add ns1.example.com 3600 IN A 10.0.0.1 >> update add ns1.example.com 3600 IN AAAA 2001::1 >> send >> % >> >> You can do similar with TSIG by giving the key the same name as the machine >> but you also need to add key clauses for all the TSIG keys to named.conf. >> >>> On 14 Feb 2023, at 07:55, André Steden via bind-users >>> <bind-users@lists.isc.org> wrote: >>> >>> But i don't want to specify all possible hostnames in the update-policy >>> settings . >>> >>> there are more than 350 hosts in the example.de domain. >>> >>> >>> Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens: >>>>> is it possible to restrict dynamic dns updates to one domain? >>>> I think 'name' is what you're after: >>>> >>>> grant key-name name host1.example.de. A; >>>> >>>> You will be aware that the type list can take multiple space-separated >>>> values. >>>> >>>> -JP >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >>> this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users