Re: Restrict dynamic updates to one domain - disallow subdomains
I solved the problem with a small daemon and grant external. It was not easy for me since I am not a C programmer. It would be nice if there would be some examples in C or Python in the future. regex support for grant rules would also be nice. André Am 14.02.2023 um 14:18 schrieb Mark Andrews: Use external. You can create any rule you can think of with that. On 14 Feb 2023, at 20:29, André Steden wrote: I want an external server to be able to update all the hosts (A) records inside the example.de domain. But i don't want that the external server can create subdomain entries inside the example.de domain. Is this possible? What grant/deny rule must i use? -André Am 13.02.2023 um 23:33 schrieb Mark Andrews: Step back and tell us what you are attempting to achieve. e.g. I want my hosts to be able to update their address records. grant admin-key subzone ANY; grant * self . A ; and use SIG(0) to sign the updates. The admin adds the public KEY record for the machine using ‘admin-key’. You generate a KEY record on the machine % dnssec-keygen -T KEY -a RSASHA256 -n host -L 3600 ns1.example.com Generating key pair+*.+*..+.+...+...+...++.+.+..+ ...+...+.+.+...+..++...+.+.+*.+.+..+.+.+..+..+.+...+.+..+...+++...++...+.+..+..+*.+.+.+.+.+.+...+..+.+..+.+.+..+..+.+...+..++..+...++.+.++.+.+...+..+.+.+.+..+..++..++.+...+ Kns1.example.com.+008+18976 % which produces the public key % cat Kns1.example.com.+008+18976.key ns1.example.com. 3600 IN KEY 512 3 8 AwEAAaxeX1NDwHGxgBKNb/D9+JrwbRnoM+OIe/Y/f5X7gmXdiZ9xOjWM alGauUtKzx1VvX2QyDUMs8zimoK4L+MM+ghEsvPjUBAnBN+p3Urq+Ae/ mxCmNMzwm3At18MS4TwmzJFFOOZCyQ2eIp0DiW8G+JZTr/3tYmZmPvTO l4OSAZ3DRPQlwro2QH2gp2r3nIEdPbY4x5//H++5NSns6N2mAGo3fkA2 b6EpINrQJ40NPIOq8fvWGs+oiGFl83xsCWpbbezjMebdvMFDTaEZBqPS vtqQCBfT7RRqIUebT6fKU3ZQh55Bah/5LJDIK3VDy05iAVVby/lCZ2YU IgGQm6NU1bM= % and you add to the zone like this % awk '{print “update add", $0 } END { print "send" }’ Kns1.example.com.+008+18976.key | nsupdate -k admin-key.key % Add ‘BEGIN { print “zone ” }’ to the awk command if you are updating glue address records this way. Then the host it updates its address records using the private part of the key pair % nsupdate -k Kns1.example.com.+008+18976.private update add ns1.example.com 3600 IN A 10.0.0.1 update add ns1.example.com 3600 IN 2001::1 send % You can do similar with TSIG by giving the key the same name as the machine but you also need to add key clauses for all the TSIG keys to named.conf. On 14 Feb 2023, at 07:55, André Steden via bind-users wrote: But i don't want to specify all possible hostnames in the update-policy settings . there are more than 350 hosts in the example.de domain. Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens: is it possible to restrict dynamic dns updates to one domain? I think 'name' is what you're after: grant key-name name host1.example.de. A; You will be aware that the type list can take multiple space-separated values. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Restrict dynamic updates to one domain - disallow subdomains
Use external. You can create any rule you can think of with that. > On 14 Feb 2023, at 20:29, André Steden wrote: > > I want an external server to be able to update all the hosts (A) records > inside the example.de domain. > But i don't want that the external server can create subdomain entries inside > the example.de domain. > > Is this possible? What grant/deny rule must i use? > > -André > > Am 13.02.2023 um 23:33 schrieb Mark Andrews: >> Step back and tell us what you are attempting to achieve. >> >> e.g. I want my hosts to be able to update their address records. >> >> grant admin-key subzone ANY; >> grant * self . A ; >> >> and use SIG(0) to sign the updates. The admin adds the public KEY record for >> the machine >> using ‘admin-key’. >> >> You generate a KEY record on the machine >> >> % dnssec-keygen -T KEY -a RSASHA256 -n host -L 3600 ns1.example.com >> Generating key >> pair+*.+*..+.+...+...+...++.+.+..+ >> >> ...+...+.+.+...+..++...+.+.+*.+.+..+.+.+..+..+.+...+.+..+...+++...++...+.+..+..+*.+.+.+.+.+.+...+..+.+..+.+.+..+..+.+...+..++..+...++.+.++.+.+...+..+.+.+.+..+..++..++.+...+ >> Kns1.example.com.+008+18976 >> % >> >> which produces the public key >> >> % cat Kns1.example.com.+008+18976.key >> ns1.example.com. 3600 IN KEY 512 3 8 >> AwEAAaxeX1NDwHGxgBKNb/D9+JrwbRnoM+OIe/Y/f5X7gmXdiZ9xOjWM >> alGauUtKzx1VvX2QyDUMs8zimoK4L+MM+ghEsvPjUBAnBN+p3Urq+Ae/ >> mxCmNMzwm3At18MS4TwmzJFFOOZCyQ2eIp0DiW8G+JZTr/3tYmZmPvTO >> l4OSAZ3DRPQlwro2QH2gp2r3nIEdPbY4x5//H++5NSns6N2mAGo3fkA2 >> b6EpINrQJ40NPIOq8fvWGs+oiGFl83xsCWpbbezjMebdvMFDTaEZBqPS >> vtqQCBfT7RRqIUebT6fKU3ZQh55Bah/5LJDIK3VDy05iAVVby/lCZ2YU IgGQm6NU1bM= >> % >> >> and you add to the zone like this >> >> % awk '{print “update add", $0 } END { print "send" }’ >> Kns1.example.com.+008+18976.key | nsupdate -k admin-key.key >> % >> >> Add ‘BEGIN { print “zone ” }’ to the awk command if you >> are updating glue address records this way. >> >> Then the host it updates its address records using the private part of the >> key pair >> >> % nsupdate -k Kns1.example.com.+008+18976.private >> update add ns1.example.com 3600 IN A 10.0.0.1 >> update add ns1.example.com 3600 IN 2001::1 >> send >> % >> >> You can do similar with TSIG by giving the key the same name as the machine >> but you also need to add key clauses for all the TSIG keys to named.conf. >> >>> On 14 Feb 2023, at 07:55, André Steden via bind-users >>> wrote: >>> >>> But i don't want to specify all possible hostnames in the update-policy >>> settings . >>> >>> there are more than 350 hosts in the example.de domain. >>> >>> >>> Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens: > is it possible to restrict dynamic dns updates to one domain? I think 'name' is what you're after: grant key-name name host1.example.de. A; You will be aware that the type list can take multiple space-separated values. -JP >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >>> this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Restrict dynamic updates to one domain - disallow subdomains
I want an external server to be able to update all the hosts (A) records inside the example.de domain. But i don't want that the external server can create subdomain entries inside the example.de domain. Is this possible? What grant/deny rule must i use? -André Am 13.02.2023 um 23:33 schrieb Mark Andrews: Step back and tell us what you are attempting to achieve. e.g. I want my hosts to be able to update their address records. grant admin-key subzone ANY; grant * self . A ; and use SIG(0) to sign the updates. The admin adds the public KEY record for the machine using ‘admin-key’. You generate a KEY record on the machine % dnssec-keygen -T KEY -a RSASHA256 -n host -L 3600 ns1.example.com Generating key pair+*.+*..+.+...+...+...++.+.+..+ ...+...+.+.+...+..++...+.+.+*.+.+..+.+.+..+..+.+...+.+..+...+++...++...+.+..+..+*.+.+.+.+.+.+...+..+.+..+.+.+..+..+.+...+..++..+...++.+.++.+.+...+..+.+.+.+..+..++..++.+...+ Kns1.example.com.+008+18976 % which produces the public key % cat Kns1.example.com.+008+18976.key ns1.example.com. 3600 IN KEY 512 3 8 AwEAAaxeX1NDwHGxgBKNb/D9+JrwbRnoM+OIe/Y/f5X7gmXdiZ9xOjWM alGauUtKzx1VvX2QyDUMs8zimoK4L+MM+ghEsvPjUBAnBN+p3Urq+Ae/ mxCmNMzwm3At18MS4TwmzJFFOOZCyQ2eIp0DiW8G+JZTr/3tYmZmPvTO l4OSAZ3DRPQlwro2QH2gp2r3nIEdPbY4x5//H++5NSns6N2mAGo3fkA2 b6EpINrQJ40NPIOq8fvWGs+oiGFl83xsCWpbbezjMebdvMFDTaEZBqPS vtqQCBfT7RRqIUebT6fKU3ZQh55Bah/5LJDIK3VDy05iAVVby/lCZ2YU IgGQm6NU1bM= % and you add to the zone like this % awk '{print “update add", $0 } END { print "send" }’ Kns1.example.com.+008+18976.key | nsupdate -k admin-key.key % Add ‘BEGIN { print “zone ” }’ to the awk command if you are updating glue address records this way. Then the host it updates its address records using the private part of the key pair % nsupdate -k Kns1.example.com.+008+18976.private update add ns1.example.com 3600 IN A 10.0.0.1 update add ns1.example.com 3600 IN 2001::1 send % You can do similar with TSIG by giving the key the same name as the machine but you also need to add key clauses for all the TSIG keys to named.conf. On 14 Feb 2023, at 07:55, André Steden via bind-users wrote: But i don't want to specify all possible hostnames in the update-policy settings . there are more than 350 hosts in the example.de domain. Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens: is it possible to restrict dynamic dns updates to one domain? I think 'name' is what you're after: grant key-name name host1.example.de. A; You will be aware that the type list can take multiple space-separated values. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Restrict dynamic updates to one domain - disallow subdomains
Step back and tell us what you are attempting to achieve. e.g. I want my hosts to be able to update their address records. grant admin-key subzone ANY; grant * self . A ; and use SIG(0) to sign the updates. The admin adds the public KEY record for the machine using ‘admin-key’. You generate a KEY record on the machine % dnssec-keygen -T KEY -a RSASHA256 -n host -L 3600 ns1.example.com Generating key pair+*.+*..+.+...+...+...++.+.+..+ ...+...+.+.+...+..++...+.+.+*.+.+..+.+.+..+..+.+...+.+..+...+++...++...+.+..+..+*.+.+.+.+.+.+...+..+.+..+.+.+..+..+.+...+..++..+...++.+.++.+.+...+..+.+.+.+..+..++..++.+...+ Kns1.example.com.+008+18976 % which produces the public key % cat Kns1.example.com.+008+18976.key ns1.example.com. 3600 IN KEY 512 3 8 AwEAAaxeX1NDwHGxgBKNb/D9+JrwbRnoM+OIe/Y/f5X7gmXdiZ9xOjWM alGauUtKzx1VvX2QyDUMs8zimoK4L+MM+ghEsvPjUBAnBN+p3Urq+Ae/ mxCmNMzwm3At18MS4TwmzJFFOOZCyQ2eIp0DiW8G+JZTr/3tYmZmPvTO l4OSAZ3DRPQlwro2QH2gp2r3nIEdPbY4x5//H++5NSns6N2mAGo3fkA2 b6EpINrQJ40NPIOq8fvWGs+oiGFl83xsCWpbbezjMebdvMFDTaEZBqPS vtqQCBfT7RRqIUebT6fKU3ZQh55Bah/5LJDIK3VDy05iAVVby/lCZ2YU IgGQm6NU1bM= % and you add to the zone like this % awk '{print “update add", $0 } END { print "send" }’ Kns1.example.com.+008+18976.key | nsupdate -k admin-key.key % Add ‘BEGIN { print “zone ” }’ to the awk command if you are updating glue address records this way. Then the host it updates its address records using the private part of the key pair % nsupdate -k Kns1.example.com.+008+18976.private update add ns1.example.com 3600 IN A 10.0.0.1 update add ns1.example.com 3600 IN 2001::1 send % You can do similar with TSIG by giving the key the same name as the machine but you also need to add key clauses for all the TSIG keys to named.conf. > On 14 Feb 2023, at 07:55, André Steden via bind-users > wrote: > > But i don't want to specify all possible hostnames in the update-policy > settings . > > there are more than 350 hosts in the example.de domain. > > > Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens: >>> is it possible to restrict dynamic dns updates to one domain? >> >> I think 'name' is what you're after: >> >> grant key-name name host1.example.de. A; >> >> You will be aware that the type list can take multiple space-separated >> values. >> >> -JP > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Restrict dynamic updates to one domain - disallow subdomains
But i don't want to specify all possible hostnames in the update-policy settings . there are more than 350 hosts in the example.de domain. Am 13.02.2023 um 20:06 schrieb Jan-Piet Mens: is it possible to restrict dynamic dns updates to one domain? I think 'name' is what you're after: grant key-name name host1.example.de. A; You will be aware that the type list can take multiple space-separated values. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Restrict dynamic updates to one domain - disallow subdomains
is it possible to restrict dynamic dns updates to one domain? I think 'name' is what you're after: grant key-name name host1.example.de. A; You will be aware that the type list can take multiple space-separated values. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Restrict dynamic updates to one domain - disallow subdomains
Hello, is it possible to restrict dynamic dns updates to one domain? Allow this: update add host1.example.de 86400 a 1.1.1.1 update add host2.example.de 86400 a 2.2.2.2 Deny this: update add host1.subdomain1.example.de 86400 a 1.1.1.1 update add host2.anysubdomain.example.de 86400 a 2.2.2.2 What must i specify in the update-policy option for the example.de domain? Regards, André -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users