This is not related to DNSSEC, but can still be done. At A.dyndns.xxx.com you'd have a CNAME which points to an A record at A.customers.dyndns.xxx.com, and the user's TSIG key would only allow modifying the record(s) in that subzone. So you'd have one subzone per customer, and the TSIG keys would allow access to one subzone each.
On Tue, Jun 22, 2021 at 2:18 PM David J. via Pdns-users <pdns-users@mailman.powerdns.com> wrote: > > Hello everyone, > > I would like to configure my own dyndns service. I managed to configure > and make it work. > I try now to secure this service. > > I followed with success this doc : > https://doc.powerdns.com/authoritative/dnsupdate.html). However, as far > as I understand there is only one key for the whole zone Which means, > any client can update any record. > > I would like to be able to generate one key per client (dnssec-keygen -n > host ?) and authorize this key to be able to update only the associated > record. > Example : > - The zone is dyndns.xxx.com > - A client would like to have the dynamic record A.dyndns.xxx.com > - B would like B.dyndns.xxx.com > - A must be able to update A.dyndns.xxx.com and only this record > - Same for B. > > Can someone give me an hint, an URL to achieve that with pdns please ? > Did I miss something in the doc ? > > Thank you very much, > > Best regards, > > -- > David J > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
