Modify BIND ACLs on-the-fly?
Hello, I'm looking at a BIND installation with a largish number of views, each of which allow recursion and contain a couple of RPZ zones. Each view has a `match-clients{}' option limiting access to the view to a very small number of addresses. (Typically the single address of a client with a dynamic IP address.) When the IP of the client changes (reported and handled out-of-band), the address_match_list in the view must be modified, which I can do with includes scripting-magic followed by `rndc reconfig', but can I do this more elegantly? I was thinking along the lines of `rndc addzone', but that adds a zone to an existing view only. A fresh study of the latest ARM reveals nothing that I could use to dynamically modify an ACL to place into match-clients{}, unless I've overlooked something. dreaming mode=on Maybe I'm dreaming along the lines of a BIND zone updatable via DDNS, that I can use to configure ACL content ... ;-) zone acl-list in { type master; allow-query { none; }; file acl-list.db; update-policy local; }; view j1 in { match-clients { sales.acl-list. ; }; }; ... $TTL 30 @ SOA acl-list. dev.null. 1 3600 1800 604800 30 NS localhost. sales IN A 192.168.1.2 IN A 192.168.83.45 IN A 10.1.1.98 /dreaming Any ideas or suggestions? Regards, -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modify BIND ACLs on-the-fly?
On 22/11/11 12:42, Jan-Piet Mens wrote: Maybe I'm dreaming along the lines of a BIND zone updatable via DDNS, that I can use to configure ACL content ... ;-) I've wondered about that before. Seems it would be useful for a bunch of things. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modify BIND ACLs on-the-fly?
Jan-Piet Mens jpmens@gmail.com wrote: Any ideas or suggestions? Not a practical one, but there are moves towards a standard nameserver control protocol: http://tools.ietf.org/html/rfc6168 http://tools.ietf.org/html/draft-dickinson-dnsop-nameserver-control http://ripe63.ripe.net/presentations/151-DNSCCM_RIPE63.pdf http://www.dnsccm.org/ Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Biscay: Northwesterly 5 or 6 at first in west, otherwise variable 4. Moderate or rough, occasionally very rough at first in west. Showers. Mainly good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modify BIND ACLs on-the-fly?
On 22.11.11 13:42, Jan-Piet Mens wrote: I'm looking at a BIND installation with a largish number of views, each of which allow recursion and contain a couple of RPZ zones. Each view has a `match-clients{}' option limiting access to the view to a very small number of addresses. (Typically the single address of a client with a dynamic IP address.) When the IP of the client changes (reported and handled out-of-band), the address_match_list in the view must be modified, which I can do with includes scripting-magic followed by `rndc reconfig', but can I do this more elegantly? afaik your client can identify itself by TSIG instead of IP address. of course, this requires tyour client to support TSIG ... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modify BIND ACLs on-the-fly?
afaik your client can identify itself by TSIG instead of IP address. of course, this requires tyour client to support TSIG ... Unfortunately the clients are dumb stub resolvers (Linux, Mac, Windows), so TSIG is not an option. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modify BIND ACLs on-the-fly?
afaik your client can identify itself by TSIG instead of IP address. of course, this requires tyour client to support TSIG ... On 22.11.11 15:31, Jan-Piet Mens wrote: Unfortunately the clients are dumb stub resolvers (Linux, Mac, Windows), so TSIG is not an option. no chance to run local tsig-aware proxy on them? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users