Actually you can do exactly the same thing for glue. KEY records below bottom
of zone cut exactly the same way as you have A and AAAA below bottom of zone
cut. The only difference is the zone listed in the UPDATE message.
zone example.com {
...
update-policy {
// allow a TSIG or SIG(0) update signed with
administrator.example.com to change anything in the zone
grant adminstrator.example.com. zonesub ANY;
// allow a TSIG or SIG(0) update signed with name X to update
anything at X
grant * self * ANY;
};
};
Now is that a “complicated” policy?
Coming soon “grant * tcp-self . PTR(1);” allow a TCP UPDATE to install a
single PTR record at the matching reverse name of the TCP source address.
https://gitlab.isc.org/isc-projects/bind9/merge_requests/2124
> On 3 Oct 2019, at 12:30 pm, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp>
> wrote:
>
> Mark Andrews wrote:
>
>> There is also nothing stopping machines updating their addresses in
>> the DNS dynamically securely.
> Except that glue A/AAAA can not be updated so easily
> and security configuration is even more painful than
> address configuration.
>
> Masataka Ohta
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
