Re: Restrict dynamic updates to one domain - disallow subdomains

Mark Andrews Tue, 14 Feb 2023 05:18:47 -0800

Use external.  You can create any rule you can think of with that.

> On 14 Feb 2023, at 20:29, André Steden <b...@steden.de> wrote:
> 
> I want an external server to be able to update all the hosts (A) records 
> inside the example.de domain.
> But i don't want that the external server can create subdomain entries inside 
> the example.de domain.
> 
> Is this possible? What grant/deny rule must i use?
> 
> -André
> 
> Am 13.02.2023 um 23:33 schrieb Mark Andrews:
>> Step back and tell us what you are attempting to achieve.
>> 
>> e.g. I want my hosts to be able to update their address records.
>> 
>>      grant admin-key subzone ANY;
>>      grant * self . A AAAA;
>> 
>> and use SIG(0) to sign the updates. The admin adds the public KEY record for 
>> the machine
>> using ‘admin-key’.
>> 
>> You generate a KEY record on the machine
>> 
>> % dnssec-keygen -T KEY -a RSASHA256 -n host -L 3600 ns1.example.com
>> Generating key 
>> pair....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+.+...........+...+...+....+.....+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>  
>> ...+...+.+.....+...+..........+........+.......+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.........+......+.....................+.+..+......+.+...........+.............+..+...+....+........+.......+........+...+.+......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+.........+.+.........+.....+...+..........+.........+..............+.+.........+..+..........+.........+...+..+................+..+...+....+.....+.............+............+.....+.+...+..............+.+.....+.+......+..+............+......+............+.+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> Kns1.example.com.+008+18976
>> %
>> 
>> which produces the public key
>> 
>> % cat Kns1.example.com.+008+18976.key
>> ns1.example.com. 3600 IN KEY 512 3 8 
>> AwEAAaxeX1NDwHGxgBKNb/D9+JrwbRnoM+OIe/Y/f5X7gmXdiZ9xOjWM 
>> alGauUtKzx1VvX2QyDUMs8zimoK4L+MM+ghEsvPjUBAnBN+p3Urq+Ae/ 
>> mxCmNMzwm3At18MS4TwmzJFFOOZCyQ2eIp0DiW8G+JZTr/3tYmZmPvTO 
>> l4OSAZ3DRPQlwro2QH2gp2r3nIEdPbY4x5//H++5NSns6N2mAGo3fkA2 
>> b6EpINrQJ40NPIOq8fvWGs+oiGFl83xsCWpbbezjMebdvMFDTaEZBqPS 
>> vtqQCBfT7RRqIUebT6fKU3ZQh55Bah/5LJDIK3VDy05iAVVby/lCZ2YU IgGQm6NU1bM=
>> %
>> 
>> and you add to the zone like this
>> 
>> % awk '{print “update add", $0 } END { print "send" }’ 
>> Kns1.example.com.+008+18976.key | nsupdate -k admin-key.key
>> %
>> 
>> Add ‘BEGIN { print “zone <parent zone name>” }’ to the awk command if you 
>> are updating glue address records this way.
>> 
>> Then the host it updates its address records using the private part of the 
>> key pair
>> 
>> % nsupdate -k Kns1.example.com.+008+18976.private
>> update add ns1.example.com 3600 IN A 10.0.0.1
>> update add ns1.example.com 3600 IN AAAA 2001::1
>> send
>> %
>> 
>> You can do similar with TSIG by giving the key the same name as the machine 
>> but you also need to add key clauses for all the TSIG keys to named.conf.
>> 
>>> On 14 Feb 2023, at 07:55, André Steden via bind-users 
>>> <bind-users@lists.isc.org> wrote:
>>> 
>>> But i don't want to specify all possible hostnames in the update-policy 
>>> settings .
>>> 
>>> there are more than 350 hosts in the example.de domain.
>>> 
>>> 
>>> Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens:
>>>>> is it possible to restrict dynamic dns updates to one domain?
>>>> I think 'name' is what you're after:
>>>> 
>>>>     grant key-name name host1.example.de. A;
>>>> 
>>>> You will be aware that the type list can take multiple space-separated 
>>>> values.
>>>> 
>>>>     -JP
>>> -- 
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
>>> this list
>>> 
>>> ISC funds the development of this software with paid support subscriptions. 
>>> Contact us at https://www.isc.org/contact/ for more information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Restrict dynamic updates to one domain - disallow subdomains

Reply via email to